Sun Java System Web Server 6.1 SP6 Programmer's Guide to Web Applications

Sessions and Security

The Sun Java System Web Server security model is based on an authenticated user session. Once a session has been created, the application user is authenticated (if authentication is used) and logged in to the session. Each interaction step from the servlet that receives a request does two things: generates content for a JSP to format the output, and checks if the user is properly authenticated.

Additionally, you can specify that a session cookie is only passed on a secured connection (that is, HTTPS), so the session can only remain active on a secure channel.

For more information about security, see Chapter 6, Securing Web Applications.