I'm using HttpSession objects for an on-line form HttpSession session = request.getSession(true); session.setAttribute("test", test); Where the attribute "test" is a javabean that stores all of the data associated with the session. During each subsequent request(or step), I do the getSession method-if its new-I invalidate the session. And I also use the following method to get the bean: TestSql test = (TestSql)session.getAttribute("test"); I use a request dispatcher to forward to a jsp page. The jsp page uses <jsp:useBean id="test" class="TestSql" scope="session"/> and uses data from the bean. My question is ---- am I tracking sessions properly- I mean- should I use URL-rewriting or hidden fields to generate and store session id's to identify them to the server. I've had no problems so far(all of the data has been correct), but I'm wondering if I still need to implement a session tracking mechanism in addition to the java bean attributes.Thanks in advance.