A server can build on this base to provide additional features and capabilities.
Fortunately for us servlet developers, it's not always necessary for a servlet to manage its own sessions using the techniques we have just discussed.
The Servlet API provides several methods and classes specifically designed to handle session tracking on behalf of servlets.
Note that installing this servlet is a security risk, as it exposes the server's session IDs--these may be used by unscrupulous clients to join other clients' sessions.
The that is installed by default with the Java Web Server 1.1.x has similar behavior.
Finally, you can remove an object from a session with if the session being accessed is invalid (we'll discuss invalid sessions in an upcoming section).