File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Struts and the fly likes low-level understanding of http/struts/beans Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "low-level understanding of http/struts/beans" Watch "low-level understanding of http/struts/beans" New topic

low-level understanding of http/struts/beans

john scofield

Joined: Jun 08, 2006
Posts: 1
Hello all,

i've been playing with Struts for some time and really like the framework.

The thing i have been wondering is how the HTTP really works. For example when I'm doing a password secured application, I like to add a UserBean to the session scope when user goes through the LoginAction. The bean contains all the necessary information about the user I'll would like to have available while the user is using the application.

The question: is the UserBean really transferred to the client via HTTP or does the HTTP/app.server simply keep a somekind of a reference to the bean?

The reason I'm asking is that I've been wondering about the security issues. If the bean is really transferred to the client, can somebody with knowledge "decrypt" the bean and read all of its data?


- John
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
When an HttpSession is created for a user, that session and all objects associated with it exist strictly on the server. It is not transferred back and forth to the browser. The way that most application servers keep track of sessions is with cookies. The way this works is that when the App Server creates a session for you, it puts a cookie on your browser. In that cookie is a unique session ID which tells the App Server which session is yours.

The only way that a third party could access this data would be to either guess the session ID (very unlikely) or to listen in on your interactions with the server and then create a cookie with the same session ID on their browser. If you're worried about this, using HTTPS will prevent a third party from listening in on the transaction.

Consultant, Sima Solutions
I agree. Here's the link:
subject: low-level understanding of http/struts/beans
It's not a secret anymore!