If your application requires security, I can 'become' another user just by sending another user id. It is harder to guess session id's. Also, session id's are separate to login details, so that you can still track a user's movement without requiring them to log in.
Joined: Oct 11, 2004
If your application requires security, I can 'become' another user just by sending another user id. It is harder to guess session id's.
But if I use post method each time, then it is harder for user to judge any user id and hardest to know, how to pass user id with request...
Session's are useful to identify the client by the server. server can identify the user with session id. whenever user sends a request to the server it will create session id . this is mainly used with http communication. as HTTP is a stateless protocol (Which does not maintain the state of the client). with the help of sessions server can maintain the state of the client.
But the problem with hidden fields is that it will be passed each time from server to browser and then from browser to server back. So to avoid that you can use Session. Also if I don't want to send some information to client but it is needed in many of my pages, I may use session.
Using session allows you to keep (cache) Java objects in memory on the server. Since reading from memory is exponentially faster than disk IO, this can make your app much more responsive and efficient. It can also make your code a lot cleaner, simpler, and easier to maintain. It only takes a line or two to reference an object bound to session. Compare that with the database code required to lookup and parse the user's information every time they post a request and you can start to see the benefit.
There are downsides too. Needlessly loading all kinds of objects into session can cause your app's memory footprint to grow. If you're using session replication to cluster your app servers then all the objects in session will need to be serialized and de-serialized with every hit.
Like everything in this profession, the trick is to find the right balance for the app you're building.
Oh... The answer to your first question: No, it's not necessary to create sessions. There are plenty of web applications out there that don't use them at all. [ December 19, 2005: Message edited by: Ben Souther ]