Geek Answers Handbook

Java Session Variables

I heard that some people believe that storing information on a server in a session is a bad idea that it is not secure.

As a result, in a multi-page function of a business process, the application writes data to db and then retrieves information when necessary. Is there anything unsafe about storing private information in a session?

+4
source share
3 answers

There is no security risk when storing attributes in a session if the session itself is secure hijacking .

There are serious problems involving concurrency and sessions. Since it is extremely common for multiple threads to simultaneously execute requests for a single session, you must ensure that the objects stored in the session are thread safe. Either make them immutable, or make them thread safe with memory barriers such as synchronization. I highly recommend Brian Goetz's article on this subject .

+7
source

HTTP sessions are not in themselves insecure. However, depending on your application server / container, the mechanism in which session cookies are sent back to the browser (and the lack of transport layer security is SSL) allows malicious parties to perform various attacks (crossite scripting, session hijacking, etc. ) I would spend some time learning these things with SQL injection to understand the full implications of using HTTP sessions. If your application runs in a firewall, there are often many more security risks than this, for example, social engineering.

+4
source

Besides performance and concurrency issues, you should also think about usability. Do multiple open pages work, the back button, bookmarks, links to your site, etc.? I ended up booking a flight the same day at aerlingus.ie and almost booked the wrong hotel on lastminute.com due to their gloomy websites.

+1
source

More articles:


All Articles