Is there a formal definition of session integrity regarding servlets?

This question is related to another existing SO question. HttpServletRe开发者_Go百科quest's getSession(boolean) method mentions session integrity, but it does not define the concept.

I could not find an offical definition. Is there any? Does anyone know what rules formally define when a session is in or out of integrity? Thanks.

It refers to the concept of linking the server session with the client (web browser) session with a cookie.

I'm not sure how familiar you are with java web apps, but the Servlet containers can track sessions by adding a parameter to the url (usually called jsessionid) or by sending a cookie to the client. I think it gets confusing because session tracking is a synonym of session integrity.

I don't think there is a special meaning for term "session integrity". Session is just a data store maintained between user requests for application specific data. While client provides same and valid session id with her requests, application is guaranteed to have consistent session data i.e what application has put into session, it will also get back. So, I would treat "integrity" as using common understanding of that word:

Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes.

Session integrity is dealt by the servlet container. Session integrity means the consistency of sessions: i.e. session tracking.

The servlet container can either use (as far as I know) 2 types of session tracking:

• Cookie, by storing JSESSIONID in a cookie.
• URL Rewriting, by appending the JSESSIONID as a fragment (not as a parameter, and there's reasons why) in the URL.

The servlet container must make sure that it tracks its sessions with consistency.

Resources:

• Java Servlet (Wikipedia)