Originally posted by Tim Baker:
I understand what you are saying.
Another issue to consider is that anything you keep in hidden fields on the page can be altered by an end user, so anything you get back from hidden fields should not be trusted.
Originally posted by William Brogden:
Servlet containers are allowed to Serialize sessions to disk or other storage so they do NOT have to keep all active sessions in memory. Thats why you should ensure that all objects "stored" in sessionss should implement Serializable.
Originally posted by Bear Bibeault:
No. Regardless of whether you use a session anywhere, the container manages it.
Never create a session on your own. Never. Ever.
Originally posted by Ben Souther:
Don't ever use new to get a session.
In your JSP use the "session" variable created for youby the container.
In the servlet, use request.getSession().
Always let the container handle the creation of the session.