Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Hidden variables Vs session variables - Which is better?

 
sudheshna Iyer
Ranch Hand
Posts: 71
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess this is the most common question. What is the better way to carry the form variables back to
servlet and finally store in DB?

Do you prefer hidden variables Vs session variables? I am using JSP,Spring and Hibernate.

Please suggest.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With hidden variables you actually mean request scoped variables?

Well, I just say to myself: request scoped data should be kept in the request scope only and session scoped data should be kept in the session scope only. Fairly obvious. Storing request scoped data in the session scope has a fairly negative impact on the user experience. Think about what would happen if the user opens the same site in a new browser window or a new tab and navigate through both?
 
Satya Maheshwari
Ranch Hand
Posts: 368
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sudheshna Iyer wrote:I guess this is the most common question. What is the better way to carry the form variables back to
servlet and finally store in DB?

Do you prefer hidden variables Vs session variables? I am using JSP,Spring and Hibernate.

Please suggest.


Are you using Hidden variables/session attributes, for session tracking? If yes, I would say, session attributes should work. Hidden Variables may act as security holes as they can be manipulated by doing a 'View Source' on the html.
 
Amir Iqbal
Ranch Hand
Posts: 97
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes me too agreed with Satya's suggestion.
because session is more secure and reliable. that's why it is given preference.

 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Session tracking" is a big word.

Session scoped data is to be stored in the session scope.
Request scoped data is to be stored in the request scope.

That´s all. Security is no issue here. Request scoped data is always to be controlled by the client, simply because it is the only one who fires requests. If you really have a hard head in, then you can just make use of preshared keys.
 
Vinoth Thirunavukarasu
Ranch Hand
Posts: 164
Android Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We created session for session tracking. It can't be view by any one. But we can view hidden variables by using viewsource and this value can be get through request scope.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
vinoth thirunavukarasu wrote:We created session for session tracking. It can't be view by any one. But we can view hidden variables by using viewsource and this value can be get through request scope.

Uh yes, I understand you, but you apparently didn´t understand me. Still, "session tracking" is a big word. Also, you normally don´t create the session yourself, this is normally to be done by the application server. You just use HttpSession#get/setAttribute() to handle stuff in the session scope (note: this is NOT the same as session tracking what most of you seem to think, that is normally already done for you by the application server).
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic