workaround to suspend the session object

[Gaurav]

Hi All,

I have a application called as "SUN Identity Managaer" . once the user
authenticates using username/password, I redirect it to the custome
page ( please read... I REDIRECT IT TO THE CUSTOM PAGE ), where I ask
him second level of authentication questions.

But the problem here is that , once the first level of authentication
is passed , the internal session objects ( which are not known to us )
is already set, and thus any knowledgeable user can log into the
application by simple typing the end page in the address bar, while the
second page for authentication is on the screen .

I want to somehow , suspend that session until that seond level of
authentiation is also done. ( There is no function available to suspend
the session )

any pointers to the problem would be really appreciated.

regards,
Gaurav

 

[Babu Kalakrishnan]

I have a application called as "SUN Identity Managaer" . once the user
authenticates using username/password, I redirect it to the custome
page ( please read... I REDIRECT IT TO THE CUSTOM PAGE ), where I ask
him second level of authentication questions.

But the problem here is that , once the first level of authentication
is passed , the internal session objects ( which are not known to us )
is already set, and thus any knowledgeable user can log into the
application by simple typing the end page in the address bar, while the
second page for authentication is on the screen .

Your authentication need not be limited to what the container has
performed for you. (I assume that's what you mean by the "first level").
Your servlet code that handles the submit from this second level
authentication screen could set some special attribute in the session if
and only if that level of authentication has been completed succesfully
(e.g. session.setAttribute("AUTHENTICATED","YES") ) - and your servlet
could deny requests to any other protected page if that special
attribute is not found in the session.

BK