January 23rd, 2002, 09:59 AM
Simple JSP session question
I am implementing a simple login system as part of a Java Server project. At present, I have a form which submits a username and password to a jsp files which then looks them up in the database and if correct allows the user to proceed.
I would like to use sessions to allow a logged in user to remain logged in from page to page.
I have read up on JSP sessions on the web, and I have some (limited) experience using sesssions with PHP.
Will it be sufficient (from a security point of view) to have my login jsp file use
once the passowrd and username has been varified, and then to check loggedIn at the top of every subsequent page? Or is this open to misuse? In the tutorials I have seen on the web, I have seen very little mention of any security issues related to JSP sessions. Is it possible for a user to set loggedIn to be true from outside of the JSP? (i.e. from the URL line or anything?) thereby bypassing my log in page? If so, would it be better for me to set as session variables the username and password, and then do a check with the database at the top of every page?
session.setAttribute( "loggedIn", true );
Any help would be most appreciated.
Think of the most annoyingly simple question and I've probably asked it on here!
January 23rd, 2002, 04:17 PM
i am assuming you are using tags?.. well, it sounds like everything you are saying is how we do ours....
the user should login with login and password, that pages goes to a page that does ALOT... should check to see if the user is legit (check for login&pw match).... and inside that logic, set JUST the login attribute to the session along with any other things you may want for the user (a namid or whatever)... do not set the password here because you dont want to hit the database on every page to check to see if the password& login match...
in a seperate if statement from the (if (request.getParamet("login") != null && --- password not null blah...)
outside of this if statement (which it will skip on the next page because password is null.... you have a if statement like
(session.getAttribute("login") != null)
then you can skip the body of the tag.. or code.. or whatever...
so... you first to see if there is a request object for your login & password (which will log the user in if they both exist and hit database) and if they are null, check to see if the user has a login session...
you must put the tag at the top of every JSP page which you wish the user to be logged in for in able to see... this is secure enough because if session is null, just redirect them to an error page or Session timed out page or even your login page... blah... hope this helps, i know i am rambling, i am just trying to remember my code...