On Wed, 23 Jun 1999, Raka wrote:
> I'm testing session tracking & cookie on two different browsers (IE 4 and
> Netscape 4.5)
>
> I have a scenario like this :
> User access the main.html (this html contains a form asking for
> username and password).
> When the submit button clicked, the form is posted to verifyuser servlet.
> If username with that password exists, the verifyuser servlet will
> *create* a HttpSession. <I print the SessionId ... say "ABCD">
>
> Then the control is transferred to lobby servlet <I use
> resp.sendRedirect(lobbyURL)>
>
> I also anticipate the possibility user directly type the lobbyURL (with
> the necessary GET parameters) on his browser....By trapping on the
> service(req,resp) method of lobby servlet.
> <
> HttpSession session = req.getSession(true)
> //here i want to check the sessionId
> System.out.println(session.getId());
> //
> if(session.isNew()){
> session.invalidate();
> resp.sendRedirect(mainhtmlURL);
> }else{
> super.service(req,resp)
> }
> >
>
> The problem is (If using IE 4): the sessionId of session that was created
> by verifyuser servlet, *is not the* same with the sessionId that I get in
> service method of lobby servlet <ABCD =/= WXYZ>
>>>> added line : by raka <<<<<
In effect, the session.isNew() always returns true.
So the lobby servlet can not reach the doGet(req,resp) method
>>>> end of added line (sorry, two lines) <<<<<
>
> I do not understand this, the tutorial says that every single user have a
> *single* session, that can be *shared* among servlets.
>
> I can draw a conclusion that : IE 4 will create a *new*/*separate* request
> upon accepting SEND REDIRECT response header <the final effect is
> creating a new & different session>
> Is that correct ?
>
> I do not experience this problem if I use Netscape 4.5....
>
> It's really annoying, since I rely on that session tracking mechanism for
> securing my system <from witched users, ya just like above : they type
> directly the servlet URL>
>
> How to correct this problem ?
> Is there any other way of invoking another servlet from a servlet ?
> (Until now, I only know one : sendRedirect)
>
> Thanks a lot for your helps
>
> -raka-
>
>
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
