Emit flexible URLs
Always maintain HttpSessions
Beware of custom cookies
Beware of common hacks
Beware of URL rewriting
An an example, JSPs will often create a session if one doesn't already exist.
This allows JSPs to use the implicit session
variable.
As a second example, the request.getSession()
method will also automatically create a session if one doesn't already exist.
However, sessions should be managed with some care, for two main reasons:
So, the creation and destruction of sessions should likely be tightly controlled by the application.
Here's an example of a reasonable set of policies regarding sessions:
<%@ page session="false" %>
directive at the top of every JSP that doesn't use a session
web.xml
, ensure session time out is set to value which isn't unnecessarily long