Andre,
What if your user accesses multiple applications with their one browser
session, and these also have a CustomerID. I think it is a good idea to
consider application space when working with session storage. At first we
didn't consider doing that, but as we developed more web apps with JSP
discovered we had to to protect what each app would store with session, and
to ensure logging in to one app didn't bypass the need to log in to another.
I also think that people should avoid doing explicit session.invalidate(),
which could wipe out session info used elsewhere. Browser shutdown, session
timeout, or removal of application specific stuff on app exit are the better
alternatives.
Dan
> ----------
> From: Andre Richards[SMTP:[EMAIL PROTECTED]]
> Reply To: Andre Richards
> Sent: Monday, March 29, 1999 10:17 PM
> To: [EMAIL PROTECTED]
> Subject: Re: How to force user to login
>
> I did as follows:
> On every page which must be authenticated, I check for a user ID in the
> session object - if it doesn't exit, I do a redirect to a login page,
> passing the url the user was trying to access as a parameter.
>
> On the login page, if the user successfully logs in, I create a session
> for
> him/her, and add the user ID to the session. I then redirect back to the
> original page the user tried to access. This way, even if the user
> bookmarks
> a page, he/she will be asked to login once the session has become invalid.
>
> Some code:
> On every page I add the following:
>
> HttpSession session = request.getSession(true);
> if (session.getValue("CustomerID") == null) {
> response.sendRedirect (response.encodeRedirectUrl
> ("Login.jsp?Origin=SharePortfolio.jsp"));
> }
> else {
> // the rest of the page ...
>
> In Login.jsp once the user has provided the correct logon credentials:
> session.putValue("CustomerID", CustomerID);
> response.sendRedirect
> (response.encodeRedirectUrl(request.getParameter("Origin")));
>
>
> -----Original Message-----
> From: Andrey Sazonov <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Date: Friday, March 26, 1999 6:42 PM
> Subject: How to force user to login
>
>
> >Hi all!
> >
> >I have following design problem and I hope anybody can help me.I need to
> >develop web based
> >access to the database. Every user who try to work with this system need
> to
> >log in before real access
> >to database. It works fine with session tracking mechanism (access to
> >database provided by set
> >of appropriate servlets and beans).
> >But problem occurs when the user bookmarked some page and the tries to
> come
> >directly to bookmarked page.
> >Does anybody know the way how to prevent this and show login page instead
> >bookmarked one?
> >
> >I think this could be implemented by processing of all request to whole
> site
> >by one servlet, which will
> >further dispatch all requests, but I'm afraid this could apply additional
> >bottleneck to system.
> >
> >---------------------------
> >Sincerely
> >Andrey Sazonov
> >([EMAIL PROTECTED])
> >
> >=========================================================================
> ==
> >To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> >of the message "signoff JSP-INTEREST". For general help, send email to
> >[EMAIL PROTECTED] and include in the body of the message "help".
>
> ==========================================================================
> =
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff JSP-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
