Thanks Pierre for your complete answer. Also thanks to Brad and Steven.
You mentioned session expires by default after 30 minutes. How can I change
this and set it based on user profile?
-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet
API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of
Pierre-Yves Saumont
Sent: Friday, July 13, 2001 5:42 AM
To: [EMAIL PROTECTED]
Subject: Re: Login implementation
Mike,
This is not a programming issue. On the first request, your servlet receives
a login and a password. It looks in a database to see if the user exists and
if the password ok. Then, the user is considered to be logged in for the
duration of the request.
Now, if you want to extend the logged in condition across several successive
requests, you need to implement a sort of session. You can use Java session
for this, or you can implement your own.
If you use Java session with default configuration, your user will be logged
in for the next 30 minutes (you can of course change this).
The principle of Java session (which are identified sessions) is to store
data on the server and send a key (the session ID) to that data back and
forth on each subsequent request/response.
The data is the fact that the user is logged in, no matter how you store it.
You can just store a flag saying "user with that session ID is logged in",
of you can store the user name and password and check it again on each
request. This is up to you but is probably irrelevant in terms of security
level.
In this model, the session ID just replace the user name/password. It is
stored in a cookie or in the URL (if cookies are unavailable and you encode
the urls).
So, the answer is yes, existing of a user object in a session is enough to
consider it as an authorized request. Not that this object can be retrieved
only from the sessionID, which is a hashcode that is probably much harder to
guess that a user name/password, plus it expires by default after 30
minutes. So, the weakest point in terms of security is the initial request
(if that was your concern !)
Pierre-Yves
-----Message d'origine-----
De : A mailing list for discussion about Sun Microsystem's Java Servlet
API Technology. [mailto:[EMAIL PROTECTED]]De la part de Mike
Peyvandi
Envoy� : samedi 14 juillet 2001 08:30
� : [EMAIL PROTECTED]
Objet : Re: Login implementation
Well, how should I remember the authorization? That was my initial
concern/question! Are you saying existing of a user object in a session is
enough to consider it as an authorized request?
-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet
API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of
Steven Lewis
Sent: Friday, July 13, 2001 2:13 AM
To: [EMAIL PROTECTED]
Subject: Re: Login implementation
no - once per session - then remember the autherization
At 12:58 AM 7/14/2001 -0400, you wrote:
>Thanks Steven. I am using a bean to look at the 'login' table in database
>to authorize the user or not. By your suggestion, I guess I need to call
>the bean per each user request :( am I right?
>
>Mike
>
>
>-----Original Message-----
>From: A mailing list for discussion about Sun Microsystem's Java Servlet
>API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of
>Steven Lewis
>Sent: Friday, July 13, 2001 12:44 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Login implementation
>
>
>Yes - after a successful login create a user object and add it to the
>session
>(Note easiest done of cookies are required)
>
>At 12:24 AM 7/14/2001 -0400, mike wrote:
> >Hi all:
> >
> >I need some idea on implementing the login process for a Java web
> >application. How can I check the user authorization after the initial
> >successful login request, i.e. in second request? Can it be done by
adding
> >a parameter to the user Session?
> >
> >Thanks,
> >Mike
> >
>
>___________________________________________________________________________
> >To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> >of the message "signoff SERVLET-INTEREST".
> >
> >Archives: http://archives.java.sun.com/archives/servlet-interest.html
> >Resources: http://java.sun.com/products/servlet/external-resources.html
> >LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>==============================================================
>LordJoe - Java Training and Consulting
>http://www.LordJoe.com
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
==============================================================
LordJoe - Java Training and Consulting
http://www.LordJoe.com
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
