Vincent,
1. If you put some object into session-scope, it will be stored on the
server (in the memory occupied by the java-process executing your webapp).
Some persistence mechanisms may save it to disk or into a database. But you
would know if that is the case for you.
However, the sessionid is
Andreas,
1. Where is the session variable stored? server side or client
cookie?
However,
the sessionid is passed back and forth between the server and the
client, of course. But that should not be a problem, because of the
(pseudo) random and quite complex nature of sessionids it would be
hard
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 2:16 PM
To: Tomcat Users List
Subject: Re: session security questions?
Andreas,
1. Where is the session variable stored? server side or client
cookie?
However,
the sessionid is passed back