tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Fonzé [] <>
Subject RE: Session variables
Date Wed, 15 May 2002 14:34:17 GMT
Hi Rick !
I'm very happy to have an answer...

Yes, I was aware of the timeout, but I don't know how Tomcat manage
these variables, so I really don't know if that's secure (during the
user session), and I store some important information in these

I'm using HTTPS, so it seems to be ok.

Thanks a lot !

You don't know how I can have information about the implementation of
HttpSession ?


-----Original Message-----
From: Rick Fincher [] 
Sent: mercredi 15 mai 2002 16:17
To: Tomcat Users List
Subject: Re: Session variables

Hi Benjamin,

The sessions have a timeout value.  If there is no action on a session
that amount of time the server kills it.  You can also invalidate a
in your program, usually with a "logout" page, but there no guaranteeing
that the user will do it.

A snooper could technically get a session number and start using it, if
can do it before the timeout kills the session.

If you are worried about that you need to use HTTPS.

If you don't use url rewriting, each page will be a new session.  This
not show up until you try to share something in a session object, and
page trhat expects it to be there gets a null.

Hope this helps,


----- Original Message -----

> Hello !
> I have a few questions concerning the implicit session object.
> On the Java Sun web site, I can read this about the HttpSession
> interface :
> "The servlet container uses this interface to create a session between
> an HTTP client and an HTTP server. The session persists for a
> time period, across more than one connection or page request from the
> user. A session usually corresponds to one user, who may visit a site
> many times. The server can maintain a session in many ways such as
> cookies or rewriting URLs."
> My browser is configured to refuse the cookies, and I've no cookies on
> my disk, my conclusion is that Tomcat does not use cookies.
> But I've no URL rewriting either (Except if that's invisible !?? Like
> the POST method of a form !?)
> I really need to know how that's implemented by HttpSession, is
> can help me ?
> Another question.
> I use Tomcat 3.3a, and I'm worrying if the security of these session
> good ?
> Is that possible for a hacker to recuperate the session variables of a
> server ?
> Thanks a lot !
> Benja.

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message