You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by "Michael J." <jm...@gmail.com> on 2005/04/16 05:04:37 UTC

RE: SessionState vs. request state.

I prefer to store everything on the server. It gives better control
over data and application state.

> Brian
> 
> I vote for storing information in session variables for
> the simple reason most Admins do not allow Browsers 
> writing cookies on the hard drive for fear of introducing
> viruses to the system +1 for session variables
>
> Martin Gainty

This is paranoia. To keep session id they would need to allow
jsessionid cookie somehow anyway. And if _all_ cookies are prohibited,
then Struts would need to rewrite each and every URL. Well, at least
URLs are polluted with jsessionid only, not with all _viewstate thing
(yuck!)

Michael.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: SessionState vs. request state.

Posted by Craig McClanahan <cr...@gmail.com>.

On 4/15/05, Michael J. <jm...@gmail.com> wrote:
> I prefer to store everything on the server. It gives better control
> over data and application state.
> 
> > Brian
> >
> > I vote for storing information in session variables for
> > the simple reason most Admins do not allow Browsers
> > writing cookies on the hard drive for fear of introducing
> > viruses to the system +1 for session variables
> >
> > Martin Gainty
> 
> This is paranoia. To keep session id they would need to allow
> jsessionid cookie somehow anyway. And if _all_ cookies are prohibited,
> then Struts would need to rewrite each and every URL. Well, at least
> URLs are polluted with jsessionid only, not with all _viewstate thing
> (yuck!)
> 

You should also note that most browsers do not actually store cookies
on disk unless they have a defined expiration timestamp.  Most servlet
containers don't set such a timestamp on session id cookies, which
leads to them being stored, in memory, only for the duration of the
browser session.

That in turn is a good thing, because even if someone has read access
to the temporary directory where your browser stores cookies, they
cannot snoop the ids of your current session and attempt to
impersonate you.

> Michael.

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org