-----------------------------
Please read the FAQ!
<http://java.apache.org/faq/>
-----------------------------
On Aug 4, 12:12am, Craig McClanahan wrote:
> Subject: Re: user authentication and servlets
> For my apps, I've tended to implement authentication within my servlets
> themselves, rather than relying on the web server to do it. Besides keeping
all
> the application logic together, this is also *slightly* more secure and
better
> performing, because the cleartext username and password only cross the
network
> once (the form submit of the login screen) versus once per request (in an
HTTP
> header when using Basic authentication). The security part of this is
probably
> not an issue on an intranet, or an SSL connection across the Internet, but
the
> extra bytes still add up.
>
> Craig McClanahan
>-- End of excerpt from Craig McClanahan
Well, I've already implemented a servlet that works in this manner, and it's
quite nice. The only problem is that I store the username in the HttpSession
object, which can timeout after a while. There doesn't seem to be any way to
tell jserv never to invalidate a session. You can set the timeout to be really
high, but that's not a very good solution. Anyway, if the user remains inactive
for too long, his HttpSession is gone and none of my other servlets can check
and see who he is. Any ideas?
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html/>
Problems?: [EMAIL PROTECTED]
