Session Management

Session management is critical part of web programming and we use it regularly duirng our web application development, this has to be handled very carefully else it can blow up the security of the applciation & data. Cookies are provided to store simple user-related data on the browser. But this poses high amount of risk for security of the data being maintained in the cookies, if sensitive data is maintained in them.

Good alternative for handling user related information in web programming is HttpSession, it is secure :

User data can be kept in “session scope” and it exists on the server not in the client browser. Server side is the better place to handle the sensitive data. In our(developer) control allows to dump the data once usage is completed.

Session should be very carefully handled as :

  • It deals with sensitive data.
  • They demand server resources.

Here are few tips to handle sessions : 

  • Always use a <%@ page session=”false” %> directive at the top of every JSP that doesn’t use a session.
  • Disable URL rewriting.
  • Create new sessions only when the user login and remember to invalidate it once user logs out.
  • Timeout value in web.xml is set to reasonable value..not too high or low.
  • Validate all the requests to defend against dupe attacks.

Happy Programming 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s