Originally posted by David O'Meara:
You're quite right, the way you've approached it, but the problem I find is that when people start building something like this, they can't help re-inventing session manangement and this is something I find very dangerous.
Just to state again Ben's is a workable solution, but don't take it any further!
Dave
Agreed
This was actually in the ServletAPI and was removed for security reasons.
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpSessionContext.html Anytime you build something yourself, you need to weigh the 'benefit vs risk' in doing so. If you're going to add this functionality to a real production app, think hard about what you're exposing and to whom.
With this same technique, you could choose to expose only a subset from within your session. For example, you could create a userBean with properties that you want to expose and store a reference to that object instead of the session itself. You could also use the "Facade Pattern" to wrap the sessions that you are exposing which would also allow you to limit what methods and properties are exposed.
In otherwords, building it yourself can be much safer than having the methods exposed as part of the
Servlet Spec but it is up to you to understand the risks involved.