K
Keith Bjorkman
Hi,
I am new to Java and I'm having problems with keeping and tracking session
state in my site with HttpSession interface.
Basically, I have a login page that uses a bean and servlet to create a new
session based on successful authentication. The servlet redirects to the
main page after the session has been created. To keep people from accessing
certain pages, I check for a valid session. At the top of these pages, I
started out with the following code:
<%@ page import="etc..." %>
<%
if (request.isRequestedSessionIdValid()==true) {
%>
<HTML>
etc...
</HTML>
<%
} else{
response.sendRedirect("errorpage.jsp");
}
%>
It works the first time when I try to access the page without logging in.
However, if I go to the page a second time, it lets me in. It acts as if a
session was created the first time I viewed the page. Does anyone know why
this happens? I know it's probably something fundamental that I'm doing
wrong. I have a temporary work around where, in the servlet, I set an
attribute that contains the session id. Each page checks to see if the
attribute is empty. If it is, it kicks you to the error page. This works,
however, this probably isn't the best way.
How should I go about handling this? I'd rather not keep track of the
session with cookies. Would the following be better?
1 - Create a session in the servlet.
2 - Have Set/Get methods for the session id.
3 - Encode the url to include the session id and redirect to the main page.
Then for each protected page, I would check the session id appended to the
url with the session id set in the servlet. If the id's match, then I can
append the session id to any urls off of that page. If they don't match, I
would re-direct to an error page or the login page.
Also, can anybody recommend any web sites or books that provide good info on
session management. Websites would be especially helpful because money is
tight .
Any help would be greatly appreciated.
Thanks!
Keith
I am new to Java and I'm having problems with keeping and tracking session
state in my site with HttpSession interface.
Basically, I have a login page that uses a bean and servlet to create a new
session based on successful authentication. The servlet redirects to the
main page after the session has been created. To keep people from accessing
certain pages, I check for a valid session. At the top of these pages, I
started out with the following code:
<%@ page import="etc..." %>
<%
if (request.isRequestedSessionIdValid()==true) {
%>
<HTML>
etc...
</HTML>
<%
} else{
response.sendRedirect("errorpage.jsp");
}
%>
It works the first time when I try to access the page without logging in.
However, if I go to the page a second time, it lets me in. It acts as if a
session was created the first time I viewed the page. Does anyone know why
this happens? I know it's probably something fundamental that I'm doing
wrong. I have a temporary work around where, in the servlet, I set an
attribute that contains the session id. Each page checks to see if the
attribute is empty. If it is, it kicks you to the error page. This works,
however, this probably isn't the best way.
How should I go about handling this? I'd rather not keep track of the
session with cookies. Would the following be better?
1 - Create a session in the servlet.
2 - Have Set/Get methods for the session id.
3 - Encode the url to include the session id and redirect to the main page.
Then for each protected page, I would check the session id appended to the
url with the session id set in the servlet. If the id's match, then I can
append the session id to any urls off of that page. If they don't match, I
would re-direct to an error page or the login page.
Also, can anybody recommend any web sites or books that provide good info on
session management. Websites would be especially helpful because money is
tight .
Any help would be greatly appreciated.
Thanks!
Keith