Well we want to add some security verification over our applicationsWhy not use SSL instead some homegrown mechanism which is prone to have flaws?
don't know if i'm correct, is forms's session the same as http session ??it is not.
i have seen that forms has jsessionid so i think there is also a http session, so i want to know if i could get access to these session variablesThe traffic between the forms applet and the forms servlet is encrypted. You could of course turn on wireshark, trace the whole traffic between the forms applet and the forms servlet and try to break the encryption. But if I were you and would have concerns that someone tries to decrypt your traffic simply use SSL.