Ok, that makes sense. Is there a problem logging off and then immediately logging a new user on. I am doing this in the case that a RestartResponseAtInterceptPageException was thrown but a different user logs on then the one that threw the RestartResponseAtInterceptPageException. I go to the home page instead of continueToOriginalDestination(). I see that logging off causes the Session to be marked dirty, but when I immediately log on a new user, the session does not get invalidated.
Do you see any reason why I should not do this? > -----Original Message----- > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 25, 2008 2:19 PM > To: users@wicket.apache.org > Subject: Re: Wicket-Security Back Button and Login more than once > > > I checked to be sure :) > we check it in the constructor: > // prevent double logins > if (isUserLoggedIn()) > { > throw new RestartResponseException(HomePage.class); > } > ofcourse that way you can not check if it is the same user. > So if you really want to do that you have to check it in the onsubmit > before you use the logincontext. > Our user object does have a password field which is encrypted so we > have to encrypt the user input first to match it against the password. > However we do not store the user entity in the session but just the > id, during a request if the user is needed it is loaded once from the > db and then that is used throughout the request. after the request we > detach it again. > > Maurice > > On Tue, Mar 25, 2008 at 10:03 PM, Warren > <[EMAIL PROTECTED]> wrote: > > Your checking in your constructor or in an onSubmit() of a form on your > > Login Page? I'm sorry, I am not quite following you. And are > you keeping > > password info in your User reference or are you looking it up > from db or > > wherever every time? > > > > > > > -----Original Message----- > > > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > > > > > > > Sent: Tuesday, March 25, 2008 1:24 PM > > > To: users@wicket.apache.org > > > Subject: Re: Wicket-Security Back Button and Login more than once > > > > > > > > > Well, we do it by also keeping a reference to the user (not the > > > subject that swarm uses) in the session. > > > And we check if the the user is already logged in in the constructor > > > of our login page. > > > The login context is not intended to check if the same user > is already > > > logged in. > > > The logincontext does however prevent (if so ordered, which is the > > > case by default) multiple logins. > > > I don't think multiple logins is what you want, but if that is the > > > case you could take a look at the constructors of LoginContext, they > > > let you change the default behavior. > > > > > > Maurice > > > > > > On Tue, Mar 25, 2008 at 7:07 PM, Warren > > > <[EMAIL PROTECTED]> wrote: > > > > Where would you check to see if the same user was trying to log > > > on again, in > > > > the LoginContext? I can check in the Session and see if a user > > > is logged on > > > > or not, but I can not check to see if it is the same user > > > unless I keep the > > > > userid and password in the session. I would like to do it in the > > > > LoginContext and throw an Exception if it is the same user. > > > The way it is > > > > now, I get a LoginException from the LoginContainer if I > try to log on > > > > again, but I have no way of knowing if it is because the same > > > user is logged > > > > on or not. > > > > > > > > public void login(LoginContext context) throws > LoginException > > > > { > > > > ... > > > > if (subjects.containsKey(key)) > > > > throw new LoginException("Already > > > logged in through this context > > > > ").setLoginContext(context); > > > > ... > > > > } > > > > > > > > How would you suggest figuring out if it is the same user or not? > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > > > > > Sent: Tuesday, March 25, 2008 10:02 AM > > > > > To: users@wicket.apache.org > > > > > Subject: Re: Wicket-Security Back Button and Login more > than once > > > > > > > > > > > > > > > We also use a "screensaver" but it does not use the > login routines, > > > > > instead it just verifies the user input against the username and > > > > > password from the loggedin user. > > > > > Also you can a check on the loginpage to determine if there > > > is already > > > > > a logged in user, if there is and it is the same username > > > you can skip > > > > > logging in again. > > > > > > > > > > Maurice > > > > > > > > > > On Tue, Mar 25, 2008 at 5:41 PM, Warren > > > > > <[EMAIL PROTECTED]> wrote: > > > > > > How do you deal with the situation where a user uses the > > > > > browser back button > > > > > > and ends up on a login page and then trys to login again? In > > > > > other words, > > > > > > how do you allow a user to login more than once. I am also > > > > > running into this > > > > > > same situation when I manually throw a > > > > > > RestartResponseAtInterceptPageException(Login.class) > exception. > > > > > > > > > > > > I need a 5 minute screen saver type of time out and then the > > > > > regular session > > > > > > expired time out. The screen saver would require the user to > > > > > login again and > > > > > > the pick-up where they left off, but if a new user logged > > > in it would > > > > > > invalidate the previous users session and start the new user > > > > > from the home > > > > > > page. I wrote something that kind of works, but I > keep running > > > > > into little > > > > > > problems with it. > > > > > > > > > > > > What would be the best way to do this? > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Warren Bell > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]