• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

session management (Mock Exam Question)

 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I found this on Jiris

The four methods for session management in the context of web-based application are: Cookie, HttpSession object, URL rewriting and Hidden value.

Is the above statement true? Should it not be SSL instead of HttpSession object?
 
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why not HttpSession objects ? Surely you use request.getSession() to create new sessions or return the reference to existing sessions.
[ November 25, 2006: Message edited by: John Meyers ]
 
Enthuware Software Support
Posts: 4885
60
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think what Aanal is saying is correct in the context of this question. It should be HTTPS (HTTP over SSL) instead of HttpSession. The reason is that HttpSession is just a wrapper over the underlying mechanism that is actually used to implement session behavior. Thus, HttpSession will work same irrespective the underlying mechanism - cookies, URL rewriting, hidden form fields, or HTTPS.

Unless, the question is considering the usage of raw mechanisms to implement its own session management in the web application. In this case, a developer might want to handle cookies/hidden form fields himself instead of working with HttpSession object. But I doubt it.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Although SSL/HTTPS does create a session, it is one on a lower level than HttpSession provides - you can't derive an HttpSession from an HTTPS connection, because the session details are invisible to the servlet. So, if the point of the question is to work within the framework of servlets/JSPs, then HTTPS is not a way to create a session.
 
Paul Anilprem
Enthuware Software Support
Posts: 4885
60
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ulf Dittmer:
Although SSL/HTTPS does create a session, it is one on a lower level than HttpSession provides - you can't derive an HttpSession from an HTTPS connection, because the session details are invisible to the servlet. So, if the point of the question is to work within the framework of servlets/JSPs, then HTTPS is not a way to create a session.



With due respect, I do not think that is entirely correct. SSL provides "SSL Session", and an ID to identify that SSL Session, which in turn can be used by the servlet container to locate and associate an HttpSession with the request. In this mode, there is not need for cookie, URL Rewriting, or any other mechanism for locating HttpSession.

Some webservers, such as IIS do not make the SSL Session ID available to servlet container plugins (or has it changed now?), in which case it is not possible to use this mechanism.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I stand corrected - the servlet spec 2.4 mentions this in #7.1.2.

But is any servlet container actually doing this? It would depend on the SSL ID being available to the servlet container, which is often not the case because the SSL session is terminated (e.g. by the web server or a hardware device) before the servlet container ever sees the request. I suppose the ID could be passed along as an additional HTTP header in order to make this possible.
[ November 27, 2006: Message edited by: Ulf Dittmer ]
 
You guys wanna see my fabulous new place? Or do you wanna look at this tiny ad?
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic