• Post Reply Bookmark Topic Watch Topic
  • New Topic

Session or hidden form

 
chiu pong
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
I want to get some suggestions on using session or hidden form to transfer variables through jsp pages.
There are two variables (loginName & loginGp) in my application that need to be transfered through pages.
I am now using session.setAttribute() and session.getAttribute() to store and retrieve the variables. I think it is quite convenient to use session. But I heard that using hidden form to transfer variables is a better way.
Can anyone tell me the pros and cons by using session and hidden form? Which one is more suitable for my case?
thx a lot.
ypc
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is quite a big question, but I'll answer in tesrm of your problem.
Firstly, the session works best when used to hold data that is true for the life of the session. Otherwise you tend to magnify thread safety issues. In terms of you problem, once the user is logged in, this data is true for the life of their session, therefore it works well on the session.
Secondly, information placed as hidden fields cannot be trusted, since clients can alter it and send fake data back. Again taking it back to your query, if you pass the username to the client and trust them to hand it back you run the real risk of someone using this feature to hack your site.
I believe you should be placing the user data on the session only.
Dave
 
Garrett Smith
Ranch Hand
Posts: 401
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
...you should be placing the user data on the session only.
Dave

Yeh.
You can always change the session length. It's 30min by default.
If you use forms, it is a pain in the , because you have HTML forms everywhere.
Also, these forms won't even be secure, unless you're using secure protocol. This means that the login name & stuff is accessible in every http request, and since you're gonna use GET, it would be even less secure. Other guys that use that machine could log in just by typing the domain name, pushing down arrow key and hitting return on the location with the query string. This could be malicious or accidental.
������������������������������������������������������������������������������������
 
Carl Trusiak
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Wow, HUGE question. One I think doesn't get the attention it needs when developing an application. You need to take into account a lot of information about your application. Personnally, I don't think hidden fields are the way to do it. Cookies however (The main foundation of http session tracking anyway) could be an alternative. The http authentication header is another.
HTTPSession is created to answer the question on how to associate a users second request with their first and how to store data shared between multiple requests.
The draw back on sessions is the memory requirement needed to store the Session object and the data in the session. A long timeout compounds this if a user logs in and then leaves without logging out. The session object hang around until timeout!
If the only data you need is a user name and group, you can do this with the http authentication header without a session. Setting Sessions off in this case limits the memory requirements of your application. A limitation on this method, if a user needs the data results from one page on the next page, you will probably have to recreate it on each request. Memory savings are basically lost at this point with the creation and distruction of objects! Now, if the data needed is actually Application wide data (A list of forums that apply to all users) the data can be stored at the application scope(And rightfully should be).
Cookies have the same benefit and draw back as using the http authentiaction header. However, if you use a stateful cookie, you can recognize the user days later with requiring them to log back in.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep, big question.
I don't use the Authentication header. My impression was that this header was Base64 encoded clear text? If so, then it's no more trustworthy than a hidden field, is it?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!