What's the best (most secure) way of implementing session handling in a web server? I'd like to add that, but don't know how to implement it really. Is cookies a "must" for session handling? (To be able to identify which session)
+6
A:
The session handling isn't really your concern. It is handled by the HttpSession class (read the description in the javadoc!), which you can obtain by calling request.getSession().
It works in two ways (no need for you to do anything to support them):
- using a session cookie (if cookies are allowed)
- using url-rewriting - appending the session id (
JSESSIONID) to the URL.
(Note: it is actually handled by the servlet container (Tomcat, jetty, etc) which provides an implementation of HttpSession)
Bozho
2010-02-13 17:54:45
+1. Just grab `HttpSession` from the request and use `get/setAttribute()` to get/set stuff in session scope. That's really all :)
BalusC
2010-02-13 20:56:01
Actually he never said he is working in a servlet container environment. I understood he is writing is own webserver. Might be wrong though.
Willi
2010-02-14 02:45:42
@Willi then my answer is again useful, because I've pointed the two options that are used. But that should have really been clarified.
Bozho
2010-02-14 06:42:00
Willi is right, but I dont blame you for your answer and you did answer with two options, which was really helpful :) I totally forgot the url-rewriting part. Is that, along with ip and user-agent pretty much the only thing that verifies a session? (if cookie isn't used)
Pestid
2010-02-14 11:09:12
http://www.w3.org/Protocols/rfc2616/rfc2616.html would be helpful. Yes, that's all I think (though I'm not sure whether ip+user agent are necessary)
Bozho
2010-02-14 13:22:40
+1
A:
Assuming that you're talking about a servlet container, then session handling comes backed in. See the relevant part of if the JavaEE tutorial. It covers the session API, as well as how sessions are tracked (cookie or URL rewriting).
skaffman
2010-02-13 17:56:44
+1
A:
Session handling is handled by the web container. If you want safety from prying eyes, use https (enforced in web.xml).
What you might be interested in also, is how the user identifies himself to the web container. Several options exist, where the most secure is the client uses a web browser with a digital certificate. That is quite tedious, but very secure :)
Thorbjørn Ravn Andersen
2010-02-13 18:18:31