>If this information need not be persistent across multiple sessions of
a
>user, you can definitely use HTTPSession to store this much of
>information.
>However, depending on the nature of data you want to store, you may
>consider a combination of persistent means (such as a DB) and
>HTTPSessions.
As I told before, best way is to store this in the DB, but I really
don't trust mySQL in an application like this, cause once the DB gets
screwed-up, you will have serious problems. And regarding that mySQL
doesn't have any integrity checks, I prefer not to rely on mySQL.
>> Also, when I can't use a cookie and encode the URL for transferring
>> User ID between requests, the URL becomes something like
>> http://www.xxx.com/JSERVUID=some_junk_data. Is this secure ?
>Secure in what way?
>In the above URL, what is being exposed is an identifier specific to a
>session. But this does not expose any application/user data.
I mean, is it secure for users to see the sesson ID's ? Cause, if you
know the session ID of your session, you might be able to get the
session ID of someone else, you can see all the data that belongs to
that user if Java doesn't encode this session id with EncodeURL
function very well. It looks like a backdoor for hackers.
Thanks for the input.
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
