Have you had a look into the JavaDocs? To which implementation do you refer? Session is such a general name for a class that you can find it in nearly every second project.
Btw.: What has this question got to do with security?
Joined: Feb 02, 2010
Yes it is related to security. Well I may not have been more clear. Sorry for that.
Actually, I am trying to write a simple client - server secret key exchange program. I saw an article in the internet that says that the server also needs to return a "session id". I did not get what the article meant by that. I just know about the servelet session.
So thats y i wanted to know if there is a different "session". Like generating a unique "session id" for a user apart from the normal httpsession. This "session id" is used to maintain the security (authentication) of the client.
harke baj wrote:Actually, I am trying to write a simple client - server secret key exchange program.
Wow, this is a complex topic, and other as a learning experience, a really bad idea. A secret key is supposed to be kept secret. Exchanging them is a really bad idea in general.
What some good protocols do is generate a transmission key just for an exchange of data, and use RSA to encrypt the transmission key, Send that, and use the transmission key with a block cipher such as AES, to encipher the cleartext. Send the cipher text, and the other guy can use RSA to decrypt the transmission key. Then he can use the transmission key to read the message.
Sending long term secret keys is a really, really bad idea.
subject: What is the difference between Session and HttpSession?