Menu
What's the best (most secure) way of implementing session handling in a web server? I'd like to add that, but don't know how to implement it really. Is cookies a "must" for session handling? (To be able to identify which session)
707
To use a session, first create a session using the HttpServletRequest method getSession(). Once the session is established, examine and set its properties using the provided methods. If desired, set the session to time out after being inactive for a defined time period, or invalidate it manually.
In simpler terms, a session is a state consisting of several requests and response between the client and the server. It is a known fact that HTTP and Web Servers are both stateless. Hence, the only way to maintain the state of the user is by making use of technologies that implement session tracking.
The session handling isn't really your concern. It is handled by the HttpSession class (read the description in the javadoc!), which you can obtain by calling request.getSession().
It works in two ways (no need for you to do anything to support them):
JSESSIONID) to the URL.(Note: it is actually handled by the servlet container (Tomcat, jetty, etc) which provides an implementation of HttpSession)
198
Assuming that you're talking about a servlet container, then session handling comes backed in. See the relevant part of if the JavaEE tutorial. It covers the session API, as well as how sessions are tracked (cookie or URL rewriting).
30
Session handling is handled by the web container. If you want safety from prying eyes, use https (enforced in web.xml).
What you might be interested in also, is how the user identifies himself to the web container. Several options exist, where the most secure is the client uses a web browser with a digital certificate. That is quite tedious, but very secure :)
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
