servlet state session

Hi,

I was ging through servlet state session tracking topic.

I would like to know different approaches and advantages and disadvantages of each approach.  Why URL rewriting is better thena hidden fields or cookies. I would like to run some practical examples on each of these approaches.Please advise.

Any links resources ideas highly appreciated. Thanks in advance
LVL 7
gudii9Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

girionisCommented:
0
mccarlIT Business Systems Analyst / Software DeveloperCommented:
There are pros and cons to all methods...

Cookies - they can be disabled in the users browser, the server has no control over this.
URL rewriting - There is a notion that it is untidy to have URL's containing a lot, also some effort needs to be put in to make sure all URL's get the sessionId attached to them, and lastly there are potential security issues relating to disclosure of the actual sessionId to other people (refer below)
Hidden fields - these also require effort on the application part to make sure that the hidden field is on every page and that every page action is via a form submission.

Regarding the security note above about url rewriting, while all three methods involve sending the sessionID in cleartext (unless HTTPS is used), the issue with URL rewriting is that often a user might copy/paste a url and send to someone, and therefore the sessionID has been disclosed. Also, if the user navigates to a different page, the Referer header might be set to the current page's URL (contained the sessionID) and hence this second web server has now got a hold of the sessionId
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gudii9Author Commented:
>>>while all three methods involve sending the sessionID in cleartext (unless HTTPS is used),


How it is sent in case of HTTPS

>>> URL rewriting is that often a user might copy/paste a url and send to someone, and therefore the sessionID has been disclosed

what is the issue if sessionID is disclosed?


>>> if the user navigates to a different page, the Referer header might be set to the current page's URL (contained the sessionID) and hence this second web server has now got a hold of the sessionId


can you please elaborate on this.

What is the meaning of referer header.
0
girionisCommented:
How it is sent in case of HTTPS
Encrypted.

what is the issue if sessionID is disclosed?
Other people can pretend they are you.

can you please elaborate on this.
The "Referer" (misspelled of referrer) is a header that tells a server who sent you to it. It's a URL and if it contains the session id, other people can know it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.