question about http sessions...

[Centinall]

We all know that http provides a "stateless" connection, and therefore we use things like cookies, hidden fields, sessions, etc... to maintain a state(in other words, that Jack is Jack between page views).

I can understand how cookies, hidden fields, etc... can be used to do this, but not exactly clear about sessions. What does the server/web container/etc use to identify sessions? Is it some information in http header, or/and IP address/key exchanged between server and client/hidden query string/cookie?/?/?

I assume that it's combination of many of these things that are abstracted from the programmer, but if someone could please clarify.

and, how safe is it to use session variables? i know that there are issues with cookies being stolen or being created to steal states. what do you guys use to maintain state?

btw, I'm just getting into using tomcat with jakarta struts...

thanks for your help...

 

[Centinall]

anyone?

 

[BZ]

as I understand it sessions are not part of http at all, but are server side extensions. in IIS, sessions are implemented via temporary cookies - the cookie just contains an encrypted id that the server uses to track the user's session. they are generally considered to be safe, and since it allows for the sensitive information to not have to flow back and forth as it does with cookies and hidden fields, it's the most secure method of those options. I don't know how sessions are implemented in other servers

 

[Centinall]

thanks for the help BZ. i'm just not quite convinced about sessions being tracked through cookies. is there a difference between cookies and "temporary cookies"? when i used to develop asp apps, i would test it on browsers with js and cookies turned off, and sessions would still persist. no offense, i could be completely wrong as i find myself most of the time ;-) .

anyone have any idea about sessions and the apache tomcat container?

 

[bsobel]

Originally posted by: Centinall
thanks for the help BZ. i'm just not quite convinced about sessions being tracked through cookies. is there a difference between cookies and "temporary cookies"? when i used to develop asp apps, i would test it on browsers with js and cookies turned off, and sessions would still persist. no offense, i could be completely wrong as i find myself most of the time ;-) .
anyone have any idea about sessions and the apache tomcat container?

He's right, IIS tracks sessions thru temporary cookies. Temp cookies are one that expire when the browser closes and (generally) don't even get cached to disk. Perm cookies survive the browser session and are comitted to disk for later use. Many times when you 'turn off cookies' it disables perm cookies, not temp ones.

Bill

 

[BZ]

An interesting thing I've seen done is a session object written from scratch that checks whether cookies are enabled, and if not it passes a session id in the url string. if cookies are on, it gets the session id from the cookie. either way only the id is stored that way and all the variables are in the database. This method allows sessions to be reactivated when the user clicks a link, either from an email notice or from a bookmark.

putting the id in the url is not very secure (I don't think the url get encrypted in https, but I could be wrong about that), so you wouldn't want to use it for ecommerce.