Manage sessions closely

The Servlet API is, unfortunately, rather liberal in creating sessions. Various tools have default behaviors which can implicitly create sessions in the background. It's very easy for an application to "accidentally" create a session, even when one was not explicitly requested.

An an example, JSPs will often create a session if one doesn't already exist. This allows JSPs to use the implicit session variable. As a second example, the request.getSession() method will also automatically create a session if one doesn't already exist.

However, sessions should be managed with some care, for two main reasons:

So, the creation and destruction of sessions should likely be tightly controlled by the application.

Here's an example of a reasonable set of policies regarding sessions:

See Also :
Emit flexible URLs
Always maintain HttpSessions
Beware of custom cookies
Beware of common hacks
Beware of URL rewriting
Would you use this technique?
Yes   No   Undecided   
© 2018 Hirondelle Systems | Source Code | Contact | License | RSS
Individual code snippets can be used under this BSD license - Last updated on September 21, 2013.
Over 2,000,000 unique IPs last year - Built with WEB4J.
- In Memoriam : Bill Dirani -