Need help with Session Management and JSPs.

[Keith Bjorkman]

Hi,

I am new to Java and I'm having problems with keeping and tracking session
state in my site with HttpSession interface.

Basically, I have a login page that uses a bean and servlet to create a new
session based on successful authentication. The servlet redirects to the
main page after the session has been created. To keep people from accessing
certain pages, I check for a valid session. At the top of these pages, I
started out with the following code:

<%@ page import="etc..." %>
<%
if (request.isRequestedSessionIdValid()==true) {
%>

<HTML>
etc...
</HTML>

<%
} else{
response.sendRedirect("errorpage.jsp");
}
%>

It works the first time when I try to access the page without logging in.
However, if I go to the page a second time, it lets me in. It acts as if a
session was created the first time I viewed the page. Does anyone know why
this happens? I know it's probably something fundamental that I'm doing
wrong. I have a temporary work around where, in the servlet, I set an
attribute that contains the session id. Each page checks to see if the
attribute is empty. If it is, it kicks you to the error page. This works,
however, this probably isn't the best way.

How should I go about handling this? I'd rather not keep track of the
session with cookies. Would the following be better?
1 - Create a session in the servlet.
2 - Have Set/Get methods for the session id.
3 - Encode the url to include the session id and redirect to the main page.
Then for each protected page, I would check the session id appended to the
url with the session id set in the servlet. If the id's match, then I can
append the session id to any urls off of that page. If they don't match, I
would re-direct to an error page or the login page.

Also, can anybody recommend any web sites or books that provide good info on
session management. Websites would be especially helpful because money is
tight .

Any help would be greatly appreciated.

Thanks!
Keith

 

[Erwin Moller]

Keith Bjorkman wrote:

Hi Keith,

read on..

Hi,

I am new to Java and I'm having problems with keeping and tracking session
state in my site with HttpSession interface.

Basically, I have a login page that uses a bean and servlet to create a
new session based on successful authentication. The servlet redirects to
the
main page after the session has been created. To keep people from
accessing
certain pages, I check for a valid session. At the top of these pages, I
started out with the following code:

<%@ page import="etc..." %>
<%
if (request.isRequestedSessionIdValid()==true) {
%>

<HTML>
etc...
</HTML>

<%
} else{
response.sendRedirect("errorpage.jsp");
}
%>

It works the first time when I try to access the page without logging in.
However, if I go to the page a second time, it lets me in. It acts as if
a
session was created the first time I viewed the page. Does anyone know
why
this happens?

Yes,

You only check IF their is a valid session.
The fact that your container created a session doesn't mean that the visitor
is authenticated.
Often session are created without your knowlegde!

I advise you to STORE something in the session and CHECK for that instead of
checking for the existance of the session itself.

So try this:

// using HttpServletRequest aRequest
HttpSession mySession = aRequest.getSession(false);

that means: get the session-object, but not create a new one if no session
exists.
if that returns a session, try this:
mySession.getAttribute("isUserAuthenticated")

to get an Object that is stored under the name isUserAuthenticated.
(This can be a simple String containing "Y" or "N")

So you first store something in the session when the authentication was
succesfull, and later on you check for the existance of a session, THEN for
the excistance of the correct Attribute, AND then for the correct value.

Good luck,
Erwin Moller

 

[Keith Bjorkman]

As a work around, I set an attribute that contains the session id and check
this in the protected pages. Is this the accepted way for keeping session
state in an application without using cookies?

Keith

 

[John C. Bollinger]

As a work around, I set an attribute that contains the session id and check
this in the protected pages. Is this the accepted way for keeping session
state in an application without using cookies?

That's a bug fix, not a work around. Something along those lines is
more or less the accepted practice, with the following caveats:

(1) You set a _session_ attribute (as opposed to an application,
request, or page attribute; you didn't specify).

(2) You set the attribute only at login, not necessarilly at session
creation.

(3) The class and content of the attribute are not relevant; its
presence in the session is the key thing. You may find, however, that
it is useful to put some kind of application-specific data into the
object in question. It's probably useless to store the session ID
(specifically) there, as you can always get it from the session. If you
only care about the attribute's presence or absence then you could use a
plain Object.

(4) The servlet container may still be using cookies to track the
session. It may also be using URL rewriting, or perhaps some other
technique available to it. You don't have to manage this yourself,
however, except (recommended) to pass all URLs you plan to use as links
inside the webapp through the response's encodeURL(String) method.


John Bollinger
(e-mail address removed)