> From: Noah Nordrum [mailto:[EMAIL PROTECTED]]
>
> So have the page where the user enters their credentials wax
> their session,
> then the validation of the credentials page will create a new session.
That was the solution I mentioned. It is undesirable for three reasons
I can think of; one, it requires a fix in the multiple locations where
there is a login page; two, not every page with login credentials should
cause this behavior (such as a hypothetical "log in as someone else"
page); three, it requires access to the session in the view.
The last one is the biggest problem, IMHO, because it violates the MVC
paradigm. Views shouldn't have code.
> why do you have to invalidate the session? why can't you just do:
> ===========================================
> HttpSession session = request.getSession();
> Enumeration attributes = session.getAttributeNames();
> while (attributes.hasMoreElements()) {
> session.removeAttribute((String)attributes.nextElement());
> }
> ===========================================
> Then you'll basically have a fresh session (except for a few
> exceptions).
I hadn't thought of that. I heard mention on this list some time ago
that Orion stores its security credentials in the user session. The
only problem is, I don't think there is any guarantee that J2EE app
servers store credentials in the session. That code isn't necessarily
going to work everywhere.
Of course, the RoleManager code isn't portable either, so it doesn't
really matter :-)
Thanks,
Jeff
