tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Fincher" <...@tbird.com>
Subject Re: Session variables
Date Wed, 15 May 2002 14:59:07 GMT



I'm not quite sure what your question is, but if you mean the details of how
sessions are built, the Servlet specification has a couple of good chapters
on it.

You can get it here:

http://jcp.org/aboutJava/communityprocess/first/jsr053/index.html

You could also look at Tomcat's source code.

Rick

>
> You don't know how I can have information about the implementation of
> HttpSession ?
>
> Benja.
>
>
>
>
> -----Original Message-----
> From: Rick Fincher [mailto:rnf@tbird.com]
> Sent: mercredi 15 mai 2002 16:17
> To: Tomcat Users List
> Subject: Re: Session variables
>
> Hi Benjamin,
>
> The sessions have a timeout value.  If there is no action on a session
> for
> that amount of time the server kills it.  You can also invalidate a
> session
> in your program, usually with a "logout" page, but there no guaranteeing
> that the user will do it.
>
> A snooper could technically get a session number and start using it, if
> they
> can do it before the timeout kills the session.
>
> If you are worried about that you need to use HTTPS.
>
> If you don't use url rewriting, each page will be a new session.  This
> may
> not show up until you try to share something in a session object, and
> the
> page trhat expects it to be there gets a null.
>
> Hope this helps,
>
> Rick.
>
>
> ----- Original Message -----
>
> > Hello !
> > I have a few questions concerning the implicit session object.
> >
> > On the Java Sun web site, I can read this about the HttpSession
> > interface :
> >
> > "The servlet container uses this interface to create a session between
> > an HTTP client and an HTTP server. The session persists for a
> specified
> > time period, across more than one connection or page request from the
> > user. A session usually corresponds to one user, who may visit a site
> > many times. The server can maintain a session in many ways such as
> using
> > cookies or rewriting URLs."
> >
> > My browser is configured to refuse the cookies, and I've no cookies on
> > my disk, my conclusion is that Tomcat does not use cookies.
> > But I've no URL rewriting either (Except if that's invisible !?? Like
> > the POST method of a form !?)
> >
> > I really need to know how that's implemented by HttpSession, is
> someone
> > can help me ?
> >
> > Another question.
> > I use Tomcat 3.3a, and I'm worrying if the security of these session
> is
> > good ?
> > Is that possible for a hacker to recuperate the session variables of a
> > server ?
> >
> > Thanks a lot !
> > Benja.
>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message