1. As far as I know, there are two ways to pass around session attributes cookies and URL rewritting if users disable their cookies. we then use httpSession interface to interact/manipulate with those session objects. Is this about right?
3. cookies violates statelessness? so, what to do?
Secondly, how do we access the content of http header without httpsession? using HTTP head method?
So, no cookies needed?
For a WS, no.
I thought cookies is an HTTP header.
Correct, but they're optional.
how do we access the content of http header without httpsession? using HTTP head method?
The HttpServletRequest class has methods for accessing HTTP headers. HTTP headers as such have nothing to do with HTTP sessions. The HTTP HEAD method does something else entirely.
They're frequently used by web apps to store user-specific information. Often the session ID is stored in them, if sessions are used. Web apps are a different usage scenario than WS, though.
It's perfectly normal. Whether it's sensible in any given web app is another question.
and when using cookies, HTTPSession is also automatically in play, since they're both inseparable
what are the sample case where the use off cookies is recommended in a web application?
To store user settings, for example. Maybe a site lets you adjust its look (by setting the font size, maybe) - that might be stored in a cookie so that next time you visit, the font size in adjusted from the beginning.
2. referring to point number 1, the said token is always put on HTTP header? because in several links like
the use of http header to store auth token is not recommended, they recommend cookies instead. could you please
1. so, in both WS and webapp, we always use authentication token, never the actual credential itself?
Initially, for both the credentials would need to be transmitted. For web apps, you'd generally start a session, and only the sessionID would be transmitted. For WS you'd use the token in subsequent calls.
2. referring to point number 1, the said token is always put on HTTP header?
I think it might be more instructive if you explained why you see a connection between the two.
For a web app I would advise to use the standard servlet security approach: http://www.coderanch.com/how-to/java/ServletsFaq#security