Hi Ming Li,

An easy solution is to store something like "user_id" into the session,
always get the session with request.getSession(true); and then check if
getAttribute("user_id") is null.

If the session has been invalidated, you will get a new session which won't
have the user_id.

If the session is valid, it will have the user_id.

On logout, remove this attribute, and then whether the session is valid, or
invalid, it won't have a user_id, so you can assume they are not logged in.

Hope that helps,
Neale Rudd
metawerx java hosting
http://www.metawerx.net

On Fri, 10 Dec 2004 14:32:39 -0700, Ming Li <[EMAIL PROTECTED]> wrote:

>Thanks for the reply, Wei Cheng. Your solution works fine when the user's
>session has already been created. But if a user requests a secured web page
>immediately after his/her Web viewer is started, at that moment the user
>session has not been created yet, in this case, the authentication filter
>will capture the user's attempt and redirect the user to the timeout page,
>instead of the login page...
>

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to