I’m looking for corroboration, confirmation, and/or corrections, so if you got ’em, throw ’em in the comments please and I’ll update this post.
The more popular Flex and Flash gets, the more exposure I get to large server-side development teams. As most have developed a lot of web based applications, the question of session handling comes up time and time again. I’ve attempted to compare and contrast the current known methods for utilizing sessions in a web browser, and their parrellels with Flex & Flash development. My goal is to better understand why you do or do not need session handling in your web application.
In this post’s context, a session is defined as a way to uniquely indentify the client to the server. Since normal http interactions are stateless, there is no way for a request from the client web browser to the server to be uniquely identified. Where such situations are needed to know which client is which, and keep data associated with that client while they are interacting with the web application, a sessions is used. The real-world example is keep a list of items a user has added to their cart in an ecommerce site. Even if they go from page to page throughout the site, or back, the session keeps track of their cart items.
The three main ways to do this are:
- appending variables to the URL string
- hidden form field
The first way involves appending variables that are relevant to the web application state to the end of the URL and making sure each page continues to attach this information along as well. Hyperlinks may add &id=234890somerandomnum&cartitem1=someproductid to the end of the URL when travelling from page to page. The server-side code garner’s context, if needed, since these variables are passed to the server before processing the next page. The pro’s to this is you can easily see what variables are working during development, and this allows you to tweak your pages to test things while using the app. The cons are unweildy URL’s that are extremely long, if you miss passing one variable the whole thing gets fubarred, and harder to secure (assuming your methods handling the server-side variables don’t check for arbitrary data which they should).
The second way involves sticking a session ID or even additional vars like the above into a hidden form field(s).
The third way involves utilizing cookies that store session information. Pro is this is very application transparent for the front end, but the con is if cookies are disabled, it won’t work.
My take as to why server-side developers like sessions is that role information is encapsulated into the request. In the case of AMFPHP for example, each server-side method in a PHP class has a role or set of roles that are allowed to call it. Upon logging in using normal browser security, you’re role is set. This provides transparent interaction between client and server. You can even handle a custom fault of not having the role privaledge to access certain functionality, or even “re-login” if need be without refreshing the page. I guess I don’t understand where this persists, though. J2EE has a similiar setup with a nice, built-in security that works.
The state arguments, however, make no sense. It is understandable since it requires a lot of effort to work with the developers to get them out of the “page” mindset. There is no page; it’s an application like Outlook; it has state, and doesn’t lose it. There is no page refresh.
I once worked on a Flash app where in using OpenAMF, the Java guy wanted me to pass him the session ID as the first parameter to every method call. I’d login, get the sessionID as a return value, and set it to a global (static) variable in the Flash app. Every Delegate call pre-pended this value as the first parameter to method calls. It wasn’t so bad, but I never really understood what the session gave us.
The hidden form variable works similiar to the above; you just store whatever variables you want to keep around in a global/static class.
While Flex & Flash have their own cookies, they are used for ensuring data persistence across application usage, not sessions. So, if I reboot my computer after using an application, the data will be there tomorrow type of thing. They are for data storage. Just like browser cookies I guess, only harder to delete (harder meaning not built into web browsers like cookies are).
The current Flex & ColdFusion app I work on, we don’t use ’em. The Flex app keeps state, and just calls ColdFusion CRUD methods. I’m sure we could add roles if need be, but I guess I just don’t get it beyond the built in security some server-side technology has to authenticate requests.
I’ve never really found a definitive article explaining the session’s role in Flash & Flex development. I’ve seen it discussed more on Flexcoders, but this is mainly because of the influx of server-side talent on that list who is used to dealing with such state. The typical response is “you don’t need them, Flex is a stateful client”, and yet the “logging in” is still discussed. If anyone has anymore sources to add to the above (or correct), please link.