i've been playing with Struts for some time and really like the framework.
The thing i have been wondering is how the HTTP really works. For example when I'm doing a password secured application, I like to add a UserBean to the session scope when user goes through the LoginAction. The bean contains all the necessary information about the user I'll would like to have available while the user is using the application.
The question: is the UserBean really transferred to the client via HTTP or does the HTTP/app.server simply keep a somekind of a reference to the bean?
The reason I'm asking is that I've been wondering about the security issues. If the bean is really transferred to the client, can somebody with knowledge "decrypt" the bean and read all of its data?
When an HttpSession is created for a user, that session and all objects associated with it exist strictly on the server. It is not transferred back and forth to the browser. The way that most application servers keep track of sessions is with cookies. The way this works is that when the App Server creates a session for you, it puts a cookie on your browser. In that cookie is a unique session ID which tells the App Server which session is yours.
The only way that a third party could access this data would be to either guess the session ID (very unlikely) or to listen in on your interactions with the server and then create a cookie with the same session ID on their browser. If you're worried about this, using HTTPS will prevent a third party from listening in on the transaction.