• Post Reply Bookmark Topic Watch Topic
  • New Topic

How much I need to consider a variable before to store it on session?

 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there

I am using session in My application.Although I have read a lot of article that session variables are stored in the server.

My Question in which types of variables I should store in session and which type not?

Like I am working on a shoping web application I am Implementing all AddToCart,Place Order all things in using session.

So What are security risk of storing some variable in Session?

Thanks
 
Tim Holloway
Bartender
Posts: 18412
58
Android Eclipse IDE Linux
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are no particular security risks in storing data in session objects. If someone can access the RAM that holds the session, they probably "own" the whole server anyway.

The real consideration is the amount of resources a session object requires. Session objects are stored in RAM, so the more/larger the session objects, the more RAM is required. If you have lots of users, you can multiply that RAM by the number of users.

Also, since session data is in RAM, there is, of course, the potential that the server will crash and lose the data in memory. So you should make sure that anything important is being backed up in persistent storage.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All too often people shy away from using the session for fear that they're going to "run out of memory". As Tim rightly pointed out, you need to be aware that every user gets their own sessions and so lots of users, means lots of sessions. But, also be wary of premature optimization. Use the session, but use it wisely. And don't bend over backwards to avoid using it for what it's supposed to be used for due to fear that you might end up with a problem.

I've used the session copiously in high-volume systems without issue. Address any issues when they become issues.

Also, some systems may want to serialize sessions, so be sure that your session objects are serializable. And never, ever, ever, store volatile components like the request or response in the session.
 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

And never, ever, ever, store volatile components like the request or response in the session.



Can you clarify it a little bit more?
 
Tim Holloway
Bartender
Posts: 18412
58
Android Eclipse IDE Linux
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In order to store an object in a session, that object and all of its related objects must be serializable - either a primitive data type or a class that implements java.io.Serializable. The HttpServletRequest, HttpServletResponse, JDBC Connection objects and other such items are defined as Interfaces, and therefore cannot be assumed to be Serializable, since only concrete classes can be serialized.

More importantly, these particular objects really are volatile. Many of them are essentially created just before the servlet/JSP executes and are destroyed (left for garbage collection) after it completes execution, and therefore holding on to them only results in useless garbage on the subsequent events.

JDBC connections are less volatile, but they should never be stored in sessions for several reasons. First, because every JDBC connection ties up a physical network connection and there's only a limited number of those. It's better to pull a Connection from a Connection Pool, use it, then return the Connection to the pool as soon as possible. Secondly, sessions can get swapped out to disk or transferred to another server (if the server is part of a cluster). In the case of the session being swapped, the non-serializability of the Connection means that what swaps back in will probably be severely damaged. In the case of serializing the session to a different server in the cluster, the Connection contains stuff that is internal to its original JVM, and again, what comes out the other side would probably be useless.
 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Tim

Thanks
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!