Hi Benjamin, The sessions have a timeout value. If there is no action on a session for that amount of time the server kills it. You can also invalidate a session in your program, usually with a "logout" page, but there no guaranteeing that the user will do it.
A snooper could technically get a session number and start using it, if they can do it before the timeout kills the session. If you are worried about that you need to use HTTPS. If you don't use url rewriting, each page will be a new session. This may not show up until you try to share something in a session object, and the page trhat expects it to be there gets a null. Hope this helps, Rick. ----- Original Message ----- > Hello ! > I have a few questions concerning the implicit session object. > > On the Java Sun web site, I can read this about the HttpSession > interface : > > "The servlet container uses this interface to create a session between > an HTTP client and an HTTP server. The session persists for a specified > time period, across more than one connection or page request from the > user. A session usually corresponds to one user, who may visit a site > many times. The server can maintain a session in many ways such as using > cookies or rewriting URLs." > > My browser is configured to refuse the cookies, and I've no cookies on > my disk, my conclusion is that Tomcat does not use cookies. > But I've no URL rewriting either (Except if that's invisible !?? Like > the POST method of a form !?) > > I really need to know how that's implemented by HttpSession, is someone > can help me ? > > Another question. > I use Tomcat 3.3a, and I'm worrying if the security of these session is > good ? > Is that possible for a hacker to recuperate the session variables of a > server ? > > Thanks a lot ! > Benja. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
