There are many aspects to enforcing proper session management, all best practices should be implemented for mitigating potential compromise.

Sessions are maintained automatically by a session cookie that is sent to the client when the session is first created. If a client does not support or allow cookies, the server rewrites the URLs where the session ID appears in the URLs from that client.

In the HTTP response, the server can set a cookie. It does so with the Set-Cookie header. For example: Set-Cookie: session=12345; path=/

1. Set Secure/HttpOnly Flags on your Cookies.
2. Generate New Session Cookies.
3. Configure Session Cookies Properly.

HttpSession is a high level interface built on top of cookies and url-rewriting, which means that there is only a session ID is stored in client side and the data associated with it is stored in server side.

The servlet container uses this interface to create a session between an HTTP client and an HTTP server. The session persists for a specified time period, across more than one connection or page request from the user. A session usually corresponds to one user, who may visit a site many times.

By default, a session lasts until there’s 30 minutes of inactivity, but you can adjust this limit so a session lasts from a few seconds to several hours. Learn more about adjusting session settings.

In the case of transport protocols that do not implement a formal session layer (e.g., UDP) or where sessions at the application layer are generally very short-lived (e.g., HTTP), sessions are maintained by a higher level program using a method defined in the data being exchanged.

JWTs which just store a simple session token are inefficient and less flexible than a regular session cookie, and don’t gain you any advantage. The JWT specification itself is not trusted by security experts. This should preclude all usage of them for anything related to security and authentication.

Token Based Authentication using JWT is the more recommended method in modern web apps. One drawback with JWT is that the size of JWT is much bigger comparing with the session id stored in cookie because JWT contains more user information.

Sessions are slightly different. Each user gets a session ID, which is sent back to the server for validation either by cookie or by GET variable. Sessions are usually short-lived, which makes them ideal in saving temporary state between applications. Sessions also expire once the user closes the browser.

GET and POST are two different types of HTTP request methods….Related Articles.

An HTTP client sends an HTTP request to a server in the form of a request message which includes following format:

1. A Request-line.
2. Zero or more header (General|Request|Entity) fields followed by CRLF.
3. An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields.

HTTP messages are how data is exchanged between a server and a client. There are two types of messages: requests sent by the client to trigger an action on the server, and responses, the answer from the server. HTTP messages are composed of textual information encoded in ASCII, and span over multiple lines.

After receiving and interpreting a request message, a server responds with an HTTP response message: A Status-line. Zero or more header (General|Response|Entity) fields followed by CRLF. An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields.

An HTTP response is made by a server to a client. The aim of the response is to provide the client with the resource it requested, or inform the client that the action it requested has been carried out; or else to inform the client that an error occurred in processing its request.

A URL for HTTP (or HTTPS) is normally made up of three or four components:

• A scheme. The scheme identifies the protocol to be used to access the resource on the Internet.
• A host. The host name identifies the host that holds the resource.
• A path.
• A query string.