Yo folks, Okay, I wrote a simple authorization/authentication scheme with Webware that relied mostly on session variables to pass certain bits of user info around. I was aware of a few security issues with my scheme, but I considered them minor and I wasn't concerned about them at this point in development. I did have *one* requirement, though, which was that my scheme be at least robust enough to detect session timout/session cookie deletion.
My question is, how is this done? request.isSessionExpired() doesn't seem to be working the magic I would have expected it to work. Well, I figured I'd simply made some not-Webware-best-practices-aware error, so I went to the Examples and pulled the login examples from there. Those, it appears, do not do what I want them to do either. If I delete the session cookie, no dice, just one big error page telling me that the maximum recursion depth has been exceeded. I need to detect if the session cookie is present or not, *before* the rest of a page executes. Right now my protected pages are inheriting from an AuthFrame class which uses the awake method to handle this stuff. I have caching turned off. I know I'm not providing any code here, for the sake of brevity, but if anyone can give me some hope, it would be very much appreciated. All the best, Greg ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss