1
1
.
.
1
1
.
.
5
5
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
-
-
S
S
e
e
s
s
s
s
i
i
o
o
n
n
I
I
n
n
f
f
o
o
Session Object
● is Java Object
● is stored on the Server (either in the Memory or in the Database)
● is used to track different Users (different Session Object is assigned to each User)
● contains User related data (like is User Authenticated, User's Role and Username)
JSESSIONID
● is Cookie
● is stored in the Browser
● is used to track different Users (different JSESSIONID is returned to each User)
● contains ID that uniquely identifies Session Object (assigned to that User)
● is received from Server after successful Authentication (after User provided valid Username and Password)
● is sent to Server with every HTTP Request
● is used by Server to identify User's Session Object
JSESSIONID and Session Object are used to track different Users between subsequent HTTP Requests (and their data).
● This way Server can for instance know if User has already Authenticated (by providing valid Username and Password)
in order to allow User access to restricted Resource in subsequent TTP Requests.
● For instance upon successful Authentication, Server can store authenticated=true and userRole=ADMIN in User's
Session Object and return JSESSIONID Cookie to uniquely identify created Session Object. Then when that User sends
next HTTP Request together with stored JSESSIONID Cookie, Server will use JSESSIONID to retrieve User's Session
Object and will allow him to access restricted Resource based on User's Role ADMIN.
● For another User Server would create different Session Object and JSESSIONID Cookie to identify it. For that User upon
successful Authentication Server can store authenticated=true and userRole=USER in User's Session Object. Then
when User sends next HTTP Request Server will allow him to access restricted Resource based on User's Role USER.
Session Object Example
id = JSESSIONID
userID = 5248
userName = John
userRole = USER
authenticated = true
Initial HTTP Request
Subsequent HTTP Requests
User
Server
Login.html
Authenticate
(Username, Password)
Return JSESSIONID
Create Session Object
User
Server
Resource.html
Send JSESSIONID
Get Session Object
S
S
e
e
s
s
s
s
i
i
o
o
n
n
O
O
b
b
j
j
e
e
c
c
t
t
-
-
A
A
l
l
t
t
e
e
r
r
n
n
a
a
t
t
i
i
v
v
e
e
s
s
S
S
t
t
o
o
r
r
e
e
U
U
s
s
e
e
r
r
D
D
a
a
t
t
a
a
i
i
n
n
a
a
d
d
d
d
i
i
t
t
i
i
o
o
n
n
a
a
l
l
B
B
r
r
o
o
w
w
s
s
e
e
r
r
C
C
o
o
o
o
k
k
i
i
e
e
s
s
Alternatively data stored in the Session Object could be stored in additional Browser's Cookies and also sent with every
Request. But this might have following negative effects
● This might allow User to temper with the data (for instance changing User Role from USER to ADMIN) and that way
getting access to unauthorized resources. For that reason keeping such User data on the Server is more secure.
● Since JSESSIONID just contains ID, it is very small and therefore convenient to send with each HTTP Request.
Storing all of User data in additional Cookies (as suggested above) and then sending them with every HTTP Request
might slow down interaction with Server because more data would need to be sent/uploaded every time.
