Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

why need session?

 
ankur rathi
Ranch Hand
Posts: 3830
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it necessary to create sessions??

I mean, if I send user id (something that uniquely identify a user) with each request after user logged in, then I can find out any details about user by this id.

What's drawback with this approach....

Please comments.

Thanks.
[ December 19, 2005: Message edited by: Bear Bibeault ]
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If your application requires security, I can 'become' another user just by sending another user id. It is harder to guess session id's. Also, session id's are separate to login details, so that you can still track a user's movement without requiring them to log in.
 
ankur rathi
Ranch Hand
Posts: 3830
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

If your application requires security, I can 'become' another user just by sending another user id. It is harder to guess session id's.


But if I use post method each time, then it is harder for user to judge any user id and hardest to know, how to pass user id with request...

Please comments.

Thanks.
 
Prabodh Reddy
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Session's are useful to identify the client by the server.
server can identify the user with session id. whenever user sends a request
to the server it will create session id .
this is mainly used with http communication. as HTTP is a stateless protocol (Which does not maintain the state of the client).
with the help of sessions server can maintain the state of the client.
 
Hemant Agarwal
Ranch Hand
Posts: 138
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But the problem with hidden fields is that it will be passed each time from server to browser and then from browser to server back. So to avoid that you can use Session. Also if I don't want to send some information to client but it is needed in many of my pages, I may use session.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using session allows you to keep (cache) Java objects in memory on the server.
Since reading from memory is exponentially faster than disk IO, this can make your app much more responsive and efficient. It can also make your code a lot cleaner, simpler, and easier to maintain.
It only takes a line or two to reference an object bound to session.
Compare that with the database code required to lookup and parse the user's information every time they post a request and you can start to see the benefit.

There are downsides too.
Needlessly loading all kinds of objects into session can cause your app's memory footprint to grow. If you're using session replication to cluster your app servers then all the objects in session will need to be serialized and de-serialized with every hit.

Like everything in this profession, the trick is to find the right balance for the app you're building.



Oh... The answer to your first question:
No, it's not necessary to create sessions.
There are plenty of web applications out there that don't use them at all.
[ December 19, 2005: Message edited by: Ben Souther ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic