You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@jakarta.apache.org by So...@aol.com on 2000/10/12 18:33:58 UTC
sharing httpsession among different servers
Anyone know the general game plane for sharing an http session among different servers different websites? One web site will have a link to another website that will provide a shopping cart. So when the user clicks check out, he goes back to the original web site, and his session holding his shopping cart activities needs to be transferred. Any ideas?
Re: sharing httpsession among different servers
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
I'll second the below.
The practice of putting hidden state information in the URL, cookies,
HTML hidden vars, etc.is not a good practice to get into. Sure
you need to send the odd cookie once in a while or pass parameters
in the URL query string. But many times internal state information
you would store in a session is not the type of data you want the client
to have access to from a security standpoint.
Glenn
Braxton Robbason wrote:
>
> I see some issues with this method:
> 1) if you are storing all session data on the client, you will have to
> encrypt it to keep people from messing around with it, and they will still
> have access to the encrypted data to crack.
> 2) many browsers cannot have URL strings longer than 255 characters, so
> saving session data in the URL will only work for very simple applications.
> 3) saving the session data in a hidden form variable would mean that people
> lose their sessions if they click on any normal link; they would have to
> consistently submit forms to go page to page.
>
> You could use cookies; this still has problem #1, but 2 and 3 are gone.
>
> Depending on how much data is associated with a session, sending it back and
> forth to the client could be a source of inefficiency.
>
> braxton
>
> -----Original Message-----
> From: Doug Collinge [mailto:dcolling@abyssnet.com]
> Sent: Thursday, October 12, 2000 3:06 PM
> To: general@jakarta.apache.org
> Subject: Re: sharing httpsession among different servers
>
> Here's something I have been meaning to try for some time: take the
> session information, serialize in some way, like XML or Java
> serialization, and store it on the page, either on the URL or in a
> hidden form variable. Then all the session is saved over on the client
> so you never have to worry about timeouts, locking up server resources,
> or which server the request gets dispatched to. You also don't get that
> nasty situation where you could have two windows of the same browser
> both with the form in them and they stomp all over each other's session
> data.
>
> Comments?
>
> Matthew Inger wrote:
>
> > Yeah, store the shopping cart in the database, not in a session.
> > That way, if the session expires, the user doesn't lost his/her
> > shopping cart contents. Typically, a session should be used only
> > for data that you can afford to lose, and reconstruct somehow.
> >
> >
> > -----Original Message-----
> > From: Soch88@aol.com [mailto:Soch88@aol.com]
> > Sent: Thursday, October 12, 2000 12:34 PM
> > To: general@jakarta.apache.org
> > Subject: sharing httpsession among different servers
> >
> >
> > Anyone know the general game plane for sharing an http session among
> > different servers different websites? One web site will have a link to
> > another website that will provide a shopping cart. So when the user clicks
> > check out, he goes back to the original web site, and his session holding
> > his shopping cart activities needs to be transferred. Any ideas?
> >
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
RE: sharing httpsession among different servers
Posted by Braxton Robbason <ro...@pulpfree.com>.
I see some issues with this method:
1) if you are storing all session data on the client, you will have to
encrypt it to keep people from messing around with it, and they will still
have access to the encrypted data to crack.
2) many browsers cannot have URL strings longer than 255 characters, so
saving session data in the URL will only work for very simple applications.
3) saving the session data in a hidden form variable would mean that people
lose their sessions if they click on any normal link; they would have to
consistently submit forms to go page to page.
You could use cookies; this still has problem #1, but 2 and 3 are gone.
Depending on how much data is associated with a session, sending it back and
forth to the client could be a source of inefficiency.
braxton
-----Original Message-----
From: Doug Collinge [mailto:dcolling@abyssnet.com]
Sent: Thursday, October 12, 2000 3:06 PM
To: general@jakarta.apache.org
Subject: Re: sharing httpsession among different servers
Here's something I have been meaning to try for some time: take the
session information, serialize in some way, like XML or Java
serialization, and store it on the page, either on the URL or in a
hidden form variable. Then all the session is saved over on the client
so you never have to worry about timeouts, locking up server resources,
or which server the request gets dispatched to. You also don't get that
nasty situation where you could have two windows of the same browser
both with the form in them and they stomp all over each other's session
data.
Comments?
Matthew Inger wrote:
> Yeah, store the shopping cart in the database, not in a session.
> That way, if the session expires, the user doesn't lost his/her
> shopping cart contents. Typically, a session should be used only
> for data that you can afford to lose, and reconstruct somehow.
>
>
> -----Original Message-----
> From: Soch88@aol.com [mailto:Soch88@aol.com]
> Sent: Thursday, October 12, 2000 12:34 PM
> To: general@jakarta.apache.org
> Subject: sharing httpsession among different servers
>
>
> Anyone know the general game plane for sharing an http session among
> different servers different websites? One web site will have a link to
> another website that will provide a shopping cart. So when the user clicks
> check out, he goes back to the original web site, and his session holding
> his shopping cart activities needs to be transferred. Any ideas?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org
Re: sharing httpsession among different servers
Posted by Doug Collinge <dc...@abyssnet.com>.
Here's something I have been meaning to try for some time: take the
session information, serialize in some way, like XML or Java
serialization, and store it on the page, either on the URL or in a
hidden form variable. Then all the session is saved over on the client
so you never have to worry about timeouts, locking up server resources,
or which server the request gets dispatched to. You also don't get that
nasty situation where you could have two windows of the same browser
both with the form in them and they stomp all over each other's session
data.
Comments?
Matthew Inger wrote:
> Yeah, store the shopping cart in the database, not in a session.
> That way, if the session expires, the user doesn't lost his/her
> shopping cart contents. Typically, a session should be used only
> for data that you can afford to lose, and reconstruct somehow.
>
>
> -----Original Message-----
> From: Soch88@aol.com [mailto:Soch88@aol.com]
> Sent: Thursday, October 12, 2000 12:34 PM
> To: general@jakarta.apache.org
> Subject: sharing httpsession among different servers
>
>
> Anyone know the general game plane for sharing an http session among
> different servers different websites? One web site will have a link to
> another website that will provide a shopping cart. So when the user clicks
> check out, he goes back to the original web site, and his session holding
> his shopping cart activities needs to be transferred. Any ideas?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
RE: sharing httpsession among different servers
Posted by Matthew Inger <ma...@mindless.com>.
Yeah, store the shopping cart in the database, not in a session.
That way, if the session expires, the user doesn't lost his/her
shopping cart contents. Typically, a session should be used only
for data that you can afford to lose, and reconstruct somehow.
-----Original Message-----
From: Soch88@aol.com [mailto:Soch88@aol.com]
Sent: Thursday, October 12, 2000 12:34 PM
To: general@jakarta.apache.org
Subject: sharing httpsession among different servers
Anyone know the general game plane for sharing an http session among
different servers different websites? One web site will have a link to
another website that will provide a shopping cart. So when the user clicks
check out, he goes back to the original web site, and his session holding
his shopping cart activities needs to be transferred. Any ideas?
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org
RE: sharing httpsession among different servers
Posted by Stephen Morley <st...@morley.net>.
Don't use sessions!
Store the data in a common database and use URL tokens or cookies to identify the user.
Stephen
> -----Original Message-----
> From: Soch88@aol.com [mailto:Soch88@aol.com]
> Sent: Thursday, October 12, 2000 12:34 PM
> To: general@jakarta.apache.org
> Subject: sharing httpsession among different servers
>
>
> Anyone know the general game plane for sharing an http session among different servers different websites? One web site
> will have a link to another website that will provide a shopping cart. So when the user clicks check out, he goes back to
> the original web site, and his session holding his shopping cart activities needs to be transferred. Any ideas?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>
>
>