T
Talking with Tonz - Emery Z. Balint Jr.
Hello all,
I am creating a Web application which requires the user to login. I am
wondering if I can make the logout system better. Any suggestions would be
very helpful. Here's what I've done so far and what happens in steps:
1. Upon login the user is stored in the session.
2. The user is also stored in the ServletContext so they cannot login twice.
3. Upon logout, the user is removed from the ServletContext and the session
is invalidated. Works great.
4. But when the user forgets to logout and simply closes the browser, the
session lingers until timeout and the ServletContext still has the user in
it. So the user cannot login again!
5. To remedy this, what I've done is the next time the user wants to login I
check the last time they have accessed the session (this I store and update
in the ServletContext as the user uses the Web application). So if 20
minutes has passed then I know that the session has timed-out and I allow
the user to login again. I update the ServletContext and away the user goes.
Now although this works, if the user forgets to logout they'll have to wait
about 20 minutes before logging in again. Somewhat of a hassle, although
fairly secure. So I'm curious, anyone have any suggestions to perhaps make
this better?
M.
P.S. I'm using Tomcat 4.1.24 and I'm sticking to the MVC model. I have a
controller servlet, a bunch of other classes for various other tasks. JSP's
are used for presentation. MySQL for storage.
/\^/\^/\
Sun Certified Java Programmer
www.websamba.com/javarobotics/
E-stronomy - Astronomical Resources
www.websamba.com/e-stronomy/
Talking with Tonz - Dance/Alternative Music
www.soundclick.com/talkingwithtonz/
I am creating a Web application which requires the user to login. I am
wondering if I can make the logout system better. Any suggestions would be
very helpful. Here's what I've done so far and what happens in steps:
1. Upon login the user is stored in the session.
2. The user is also stored in the ServletContext so they cannot login twice.
3. Upon logout, the user is removed from the ServletContext and the session
is invalidated. Works great.
4. But when the user forgets to logout and simply closes the browser, the
session lingers until timeout and the ServletContext still has the user in
it. So the user cannot login again!
5. To remedy this, what I've done is the next time the user wants to login I
check the last time they have accessed the session (this I store and update
in the ServletContext as the user uses the Web application). So if 20
minutes has passed then I know that the session has timed-out and I allow
the user to login again. I update the ServletContext and away the user goes.
Now although this works, if the user forgets to logout they'll have to wait
about 20 minutes before logging in again. Somewhat of a hassle, although
fairly secure. So I'm curious, anyone have any suggestions to perhaps make
this better?
M.
P.S. I'm using Tomcat 4.1.24 and I'm sticking to the MVC model. I have a
controller servlet, a bunch of other classes for various other tasks. JSP's
are used for presentation. MySQL for storage.
/\^/\^/\
Sun Certified Java Programmer
www.websamba.com/javarobotics/
E-stronomy - Astronomical Resources
www.websamba.com/e-stronomy/
Talking with Tonz - Dance/Alternative Music
www.soundclick.com/talkingwithtonz/