After reading through the JSDK 2.2 API (chapter 7) regarding sessions, there
was no mention of how to implement session ID's. It appears (not only from
reading this but also by looking at the cookie values that different engines
supply) that this is vendor specific. Is there any algorithm that
determines the uniqueness of session ID's?
Background:
What I'm trying to do is design a database table to serialize session
objects to so I can redirect clients to different servers (an SSL server in
my case). I was/am planning on using a table that has two columns, a
key/value pair (one session id column and one session object column). This
way I could use a servlet on Server A to write the session object into the
database using the session ID as the key and then redirect the client to
Server B (secure server) adding the session ID parameter to the URL. After
this, a servlet on Server B could read the session associated with this
session ID, write the information filled in on the secure server into the
session, send the database an update command with the new session object and
then read it back out once the client arrived back at Server A.
There was a recommendation by Craig McClanahan about setting a custom
cookie, but that wouldn't work for client browsers that have cookies turned
off (I know, I should probably just redirect those people to a happy place
but I can't at the moment :-))
So the big question is, "Is the session ID a valid unique identifier for my
database table"? I plan on removing the row from the database immediately
after getting the object back into a session on Server A as well as having a
trigger run that will make sure that any entries that are longer than 30
minutes old be removed, but I don't want the possibility of two different
users reading the same session object from the database at the same time
because they have the same session ID. Mixing up people's credit cards
would not be a good thing....
Another thought that crossed my mind would be to create a third column that
put the IP address of the client into the database as well to add a little
more insurance to the scenario.
Thanks for any input.
Mike
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
