Franck Rageade wrote:
>
Comments intermixed below.
> I still have many problems to manage my session tracking... I work on
> an intranet portal using NT4 / IIS / Resin 1.1. When the user logs on, an
> instance of User class is instanciated, with the user's configuration, and
> this instance is stored in the session. It looks like that :
>
> <%
> HttpSession sess = req.getSession(true);
> MGUser mgUser = new MGUser(cookieCode, req.getServerName());
> sess.setAttribute("sessionMGUser", mgUser);
> %>
You're working to hard, and that's why it doesn't work as you'll soon
see. You don't have to call getSession(true); the JSP container does that
for you automatically and assigns the result to a variable named "session"
(unless you have specifically specified that the page does not participate
in a session using the page directive). So here you could just do:
<%
MSGUser mgUser = MGUser(cookieCode, request.getServerName());
session.setAttribute("sessionMGUser", mgUser);
%>
To avoid Java code in your page, you could even change MGUser into
a JavaBean. I'm not sure where the "cookieCode" comes from, but
assuming it's a value extracted from the request, you could then
use these tags instead:
<jsp:useBean id="sessionMGUser" scope="session" class="MGUser" >
<jsp:setProperty name="sessionMGUser" property="request" value="<%= request
%>" />
</jsp:useBean>
This creates an instance of MGUser and saves it in the session, if it
doesn't exist already, and sets a property named "request" to the
current HttpServletRequest object. You bean can then extract the
server name and "cookieCode" from the request.
> Then, at the top of every page, the User object is retrieved with :
>
> <%!
> MGUser mgUser;
> HttpSession sess;
> %>
This is dangerous. When you use the <%! ... %> construct you are creating
instance variables in the generated servlet. Instance variables are shared
by all concurrent requests for the page, so the value of these variables
can be overwritten by one request while you're still serving another.
I recommend that you *never* use JSP declarations, unless you're really
sure about what you're doing and know how to avoid multithreading problems
with the use of synchronization. If you really want to share some information
between all requests for a page, I suggest you use an application scope
bean instead, where you can handle multithreading issues with as much
code as you want without complicating the JSP page.
> <% sess = request.getSession(false);
> if (sess==null) response.sendRedirect(AUTH_FORM_URL);
> mgUser = (MGUser)sess.getAttribute("sessionMGUser");
> %>
The reason this fails is that you assume sess will be null if the user
is not authenticated. In a JSP page this will never be true, since the
JSP container inserts "session = request.getSession(true)" in the code
automatically. Also, since you use an object in the session as your
"authentication token", it's better to check if it's there or not as
a test for authentication. I would do it like this (again using the
implicit session object):
<%
MGUser mgUser = (MGUser) session.getAttribute("sessionMGUser");
if (mgUser == null) {
response.sendRedirect(AUTH_FORM_URL);
}
%>
> when the user logs out, or kills the browser, and another user
> tries to log in, the second user retrieves the first one's configuration !!!
What do you do when the user "logs out"? I suggest that you provide
a log out page where you invalidate the session:
<%
session.invalidate();
%>
> Can anybody explain me how to efficiently manage sessions ?
I hope this helped.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
