Before you develop new objects to be stored in the HTTP session, make sure to consider enabling security integration. HTTP sessions are identified by session IDs, which are pseudo-random numbers that are generated at runtime. Session hijacking is a known attack on HTTP sessions and can be prevented if all requests going over the network are over a secure connection (HTTPS). Not every configuration in a customer environment enforces the security constraint because of potential SSL performance impacts, and HTTP sessions can become vulnerable to hijacking. WebSphere Application Server - Express can integrate HTTP sessions and application server security. Enable security in WebSphere Application Server - Express to protect sessions so that only session creators have access to those sessions.
When adding Java objects to a session, make sure they are in the correct class path. If Java objects are added to a session, be sure to place the class files for those objects in the application server class path or in the Web module path. Because the HttpSession object is shared among servlets that the user might access, consider adopting a site-wide naming convention to avoid conflicts.
Note: Do not store large Object graphs in HttpSession.
In most applications, each servlet requires only a fraction of the total session data. However, by storing the data in HttpSession as one large object, an application forces WebSphere Application Server - Express to process all of it each time.
Release HttpSession objects when you are finished. HttpSession objects live inside the Web container until one of the following occurs:
The application explicitly and programmatically releases it using javax.servlet.http.HttpSession.invalidate(). Quite often, programmatic invalidation is part of an application logout function.
The application server destroys the allocated HttpSession object when it expires (default is 1800 seconds or 30 minutes).
Note: Do not try to save and reuse the HttpSession object outside of each servlet or JSP.
The HttpSession object is a function of the HttpServletRequest: you can get it only through the getSession() method. A copy of the HttpSession object is valid only for the life of the service() method of the servlet or JSP. You cannot cache the HttpSession object and refer to it outside the scope of a servlet or JSP.