August 16th, 2002, 11:06 AM
web portal in JSP
I'm coding a web portal using JSP, Java Beans and Servlets. I've just started learning and I've run into inevitable problems.
My web portal requires users to log in, after which they can navigate around a members-only area. What I need to do is to somehow track this user so that he doesn't go into pages that he isn't authorised to see.
I'm not using Cookies since browsers can disable this feature. One way is to pass an identifier (e.g. their user name and password) from one page to the next by appending it to the URL (e.g. profile.jsp?user=ph34r&password=gkd839). This is obviously unsafe because their password will appear in the browser's Address Field.
An alternative that I have found is to use the setAttribute of the HttpSession object. However, I can only get it to work in Servlets and not JSP pages.
August 16th, 2002, 04:51 PM
JSP pages just use session. So, session.setAttribute( "foo", "bar" ); and session.getAttribute( "foo" ). Same thing with the request and application objects. The jsp engine builds the objects for you.
Do use sessions, though. Way less of a headache, and much more secure.
August 17th, 2002, 12:31 AM
August 19th, 2002, 11:13 AM
Thanks for the responses! Really appreciate it ;-)
Now I have another problem. When the user logs in, I use session.setAttribute ("userID", userID) and he is forwarded to members/home.jsp. home.jsp has a check. If userID is null, it means that the user hasn't logged in (perhaps he got to this page by typing in the URL into the Address Bar). He is forwarded back to the login page. It works for users who have never logged in before.
When the user logs out, I use session.removeAttribute ("userID") and just to make sure that his userID is no longer stored, I add a check:
<%= session.getAttribute ("userID") %>
It returns null. OK, fine.
But after logging out, when I go back to members/home.jsp by typing the URL in the Address Bar, I find that he can access the page and session.getAttribute ("userID") returns his user name. This should not be the case since he has already logged out and I have removed the userID attribute. What's going on?
Also, another thing I noticed was that when I tried to use session.invalidate () instead of session.removeAttribute ("userID") in the logout page, I get an error saying that the session is already invalidated. Why is this?