When should we opt to use a session and when should we use oookies in an application. What are the main differences between the two.
Cookies are intended to hold short strings of text on the user's browser while sessions can hold any Java object on the server.
And if cookies are turned off in a browser, do we need to call response.encodeUrl() explicitly or is it automatically taken care of ?
Any encoding of URLs to hold session ids must be done explicity.
The third approach is to use hidden values in Forms instead of cookies.
Holding state in sessions can be more performant than cookies, especially if you have large amounts of data, and is easier to pass around to other parts of your app. Cookies can only hold so much info. Consider holding sate info in the request object as well if only the next request needs it.