I too worked on this last week. The solution I like best is creating a static
html login screen. The form (HTML FORM tag) points to a servlet that verifies
the users. If the user is accepted, then have the servlet generate the desired
HTML page. This way, even if the user bookmarks the servlet, the servlet will
through an error when it tries to access the form variables that aren't there.
This forces the person to go through the login screen. Furthermore, if there are
steps to the system (user to server to user to server....) then you can pass the
login name and password back and forth. Or if variales and input are bieng
passed back and forth, don't worry about. The servelt will through errors when
it doesn't receive the correct values.
DanC
Cezar Totth wrote:
> Hi,
>
> Better not to count *only* on the fact that a HttpSession already exists
> or not. It is possible the user worked with some other's developer servlet
> wich already instantiated the HttpSession (like Alvin's game ;-),
> and when its boss suddenly enters the office he quickly follows the bookmark
> to Andrey's office applications... wich need to authenticate the user again,
> within the new "working environment".
>
> Cezar
>
> On Fri, 26 Mar 1999, Amarnath Nanduri wrote:
>
> > Hi Andrey,
> > Use session tracking. In the login page, create your session objects
> > and in your
> > other servlets make sure that a session exists ( do not create the session
> > though ). If the session is null
> > you can be pretty sure that the user has bookmarked the page. In that case
> > just redirect him to the login page.
> > Hope this helps.
> >
> > p.s. I am working on a project that implements this mechanism and it
> > works.
> >
> > Amar..
> >
> >
> >
> >
> >
> > Andrey Sazonov <[EMAIL PROTECTED]> on 03/26/99 10:41:44 AM
> >
> > Please respond to "A mailing list for discussion about Sun Microsystem's
> > Java Servlet API Technology."
> > <[EMAIL PROTECTED]>
> >
> > To: [EMAIL PROTECTED]
> > cc: (bcc: Amarnath Nanduri/IT/VANCPOWER)
> > Subject: How to force user to login
> >
> >
> >
> >
> > Hi all!
> >
> > I have following design problem and I hope anybody can help me.I need to
> > develop web based
> > access to the database. Every user who try to work with this system need to
> > log in before real access
> > to database. It works fine with session tracking mechanism (access to
> > database provided by set
> > of appropriate servlets and beans).
> > But problem occurs when the user bookmarked some page and the tries to come
> > directly to bookmarked page.
> > Does anybody know the way how to prevent this and show login page instead
> > bookmarked one?
> >
> > I think this could be implemented by processing of all request to whole
> > site
> > by one servlet, which will
> > further dispatch all requests, but I'm afraid this could apply additional
> > bottleneck to system.
> >
> > ---------------------------
> > Sincerely
> > Andrey Sazonov
> > ([EMAIL PROTECTED])
> >
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
