#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Posts
    0
    Rep Power
    0

    web portal in JSP


    I'm coding a web portal using JSP, Java Beans and Servlets. I've just started learning and I've run into inevitable problems.

    My web portal requires users to log in, after which they can navigate around a members-only area. What I need to do is to somehow track this user so that he doesn't go into pages that he isn't authorised to see.

    I'm not using Cookies since browsers can disable this feature. One way is to pass an identifier (e.g. their user name and password) from one page to the next by appending it to the URL (e.g. profile.jsp?user=ph34r&password=gkd839). This is obviously unsafe because their password will appear in the browser's Address Field.

    An alternative that I have found is to use the setAttribute of the HttpSession object. However, I can only get it to work in Servlets and not JSP pages.

    Any suggestions?
  2. #2
  3. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    JSP pages just use session. So, session.setAttribute( "foo", "bar" ); and session.getAttribute( "foo" ). Same thing with the request and application objects. The jsp engine builds the objects for you.

    Do use sessions, though. Way less of a headache, and much more secure.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Posts
    1
    Rep Power
    0
    also, check this

    http://jakarta.apache.org/taglibs/do...1.0/index.html

    JSTL, very easy to use and beautiful :-)

    good luck
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Posts
    0
    Rep Power
    0
    Thanks for the responses! Really appreciate it ;-)

    Now I have another problem. When the user logs in, I use session.setAttribute ("userID", userID) and he is forwarded to members/home.jsp. home.jsp has a check. If userID is null, it means that the user hasn't logged in (perhaps he got to this page by typing in the URL into the Address Bar). He is forwarded back to the login page. It works for users who have never logged in before.

    When the user logs out, I use session.removeAttribute ("userID") and just to make sure that his userID is no longer stored, I add a check:

    <%= session.getAttribute ("userID") %>

    It returns null. OK, fine.

    But after logging out, when I go back to members/home.jsp by typing the URL in the Address Bar, I find that he can access the page and session.getAttribute ("userID") returns his user name. This should not be the case since he has already logged out and I have removed the userID attribute. What's going on?

    Also, another thing I noticed was that when I tried to use session.invalidate () instead of session.removeAttribute ("userID") in the logout page, I get an error saying that the session is already invalidated. Why is this?

IMN logo majestic logo threadwatch logo seochat tools logo