Of course, tokens will help here. I could also put a special attribute
into each session and check this attribute in each action. But there are
two points I don't like here.
* There must be at least one action where I create this attribute. And at
least in this action I do not know, if I have a new session or a re-
created one. To make the problem worse we do not require the user to log
in. So we have no special login page we could use for this purpose.
Basically the user may visit almost any page first.
* I have to check for this attribute in *every* action and on *every* JSP
page. This could be done by creating my own Action base class, of course,
but somehow I don't like the idea (however I can't say why :-) ).
I don't really know how to solve the problem with the JSPs. I would have
created a special tag that checks if the session is new or not. This is
bad but seems to be the only solution. Besides, I would never call JSPs
directly, but some people might want (or have) to do this.
I didn't know that Servlet 2.3 will solve these problems, but what can
we do until then?
andreas
> -----Original Message-----
> From: Jonathan Asbell [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 12, 2001 6:07 AM
> To: Craig R. McClanahan; [EMAIL PROTECTED]
> Subject: Re: Handling session timeouts
>
>
> No Craig. If his session times out, it will loose the token
> in the session.
> Thus the page will not submit because the token in the
> session will not
> match the one in the hidden field.
>
>
