Session management is critical part of web programming and we use it regularly duirng our web application development, this has to be handled very carefully else it can blow up the security of the applciation & data. Cookies are provided to store simple user-related data on the browser. But this poses high amount of risk for security of the data being maintained in the cookies, if sensitive data is maintained in them.
Good alternative for handling user related information in web programming is HttpSession, it is secure :
User data can be kept in “session scope” and it exists on the server not in the client browser. Server side is the better place to handle the sensitive data. In our(developer) control allows to dump the data once usage is completed.
Session should be very carefully handled as :
- It deals with sensitive data.
- They demand server resources.
Here are few tips to handle sessions :
- Always use a <%@ page session=”false” %> directive at the top of every JSP that doesn’t use a session.
- Disable URL rewriting.
- Create new sessions only when the user login and remember to invalidate it once user logs out.
- Timeout value in web.xml is set to reasonable value..not too high or low.
- Validate all the requests to defend against dupe attacks.
Happy Programming 🙂
TSR's Blog 