Yo folks,

Okay, I wrote a simple authorization/authentication scheme with
Webware that relied mostly on session variables to pass certain bits
of user info around. I was aware of a few security issues with my
scheme, but I considered them minor and I wasn't concerned about them
at this point in development. I did have *one* requirement, though,
which was that my scheme be at least robust enough to detect session
timout/session cookie deletion.

My question is, how is this done?

request.isSessionExpired() doesn't seem to be working the magic I
would have expected it to work.

Well, I figured I'd simply made some not-Webware-best-practices-aware
error, so I went to the Examples and pulled the login examples from
there. Those, it appears, do not do what I want them to do either. If
I delete the session cookie, no dice, just one big error page telling
me that the maximum recursion depth has been exceeded.

I need to detect if the session cookie is present or not, *before* the
rest of a page executes. Right now my protected pages are inheriting
from an AuthFrame class which uses the awake method to handle this
stuff. I have caching turned off.

I know I'm not providing any code here, for the sake of brevity, but
if anyone can give me some hope, it would be very much appreciated.

All the best,
Greg


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Webware-discuss mailing list
Webware-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/webware-discuss

Reply via email to