January 23rd, 2002, 10:59 AM
Join Date: Apr 2001
Location: Northampton, England
Time spent in forums: 12 h 3 m 13 sec
Reputation Power: 0
Simple JSP session question
I am implementing a simple login system as part of a Java Server project. At present, I have a form which submits a username and password to a jsp files which then looks them up in the database and if correct allows the user to proceed.
I would like to use sessions to allow a logged in user to remain logged in from page to page.
I have read up on JSP sessions on the web, and I have some (limited) experience using sesssions with PHP.
Will it be sufficient (from a security point of view) to have my login jsp file use
session.setAttribute( "loggedIn", true );
once the passowrd and username has been varified, and then to check loggedIn at the top of every subsequent page? Or is this open to misuse? In the tutorials I have seen on the web, I have seen very little mention of any security issues related to JSP sessions. Is it possible for a user to set loggedIn to be true from outside of the JSP? (i.e. from the URL line or anything?) thereby bypassing my log in page? If so, would it be better for me to set as session variables the username and password, and then do a check with the database at the top of every page?
Any help would be most appreciated.
Think of the most annoyingly simple question and I've probably asked it on here!