Hi Ming Li, An easy solution is to store something like "user_id" into the session, always get the session with request.getSession(true); and then check if getAttribute("user_id") is null.
If the session has been invalidated, you will get a new session which won't have the user_id. If the session is valid, it will have the user_id. On logout, remove this attribute, and then whether the session is valid, or invalid, it won't have a user_id, so you can assume they are not logged in. Hope that helps, Neale Rudd metawerx java hosting http://www.metawerx.net On Fri, 10 Dec 2004 14:32:39 -0700, Ming Li <[EMAIL PROTECTED]> wrote: >Thanks for the reply, Wei Cheng. Your solution works fine when the user's >session has already been created. But if a user requests a secured web page >immediately after his/her Web viewer is started, at that moment the user >session has not been created yet, in this case, the authentication filter >will capture the user's attempt and redirect the user to the timeout page, >instead of the login page... > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html