authentication and session tracking

Thread view:

Broetchen - 25 May 2004 09:45 GMT

Hi,

I'm working on a webapp including several servlets. I have set up a user
authentication mechanism checking user accounts in a database. This works
fine but the user should remain logged in until he logs out explicitly or
leaves the web application to another page. I tried to use the Session
tracking API but returning users are still able just to type in the URL of,
say Servlet2, and bypass the authentication. Is there another way of
securing access to the web app?

Reply to this Message

Oscar kind - 25 May 2004 18:13 GMT

> I'm working on a webapp including several servlets. I have set up a user
> authentication mechanism checking user accounts in a database. This works
[quoted text clipped - 3 lines]
> say Servlet2, and bypass the authentication. Is there another way of
> securing access to the web app?

If you're using the declarative J2EE security, this last part should not
be possible (IIRC it isn't). The only problem that remains then, is to
keep the session valid until the user goes to another website.

However, a user may have two browsers or browser windows open at the same
time, and generally may go on the web where and when he pleases (given
authorization). So basically, this problem cannot be solved.

Your best bet is to let the session have a timeout of, say, a week (with
caching on disk). For the user, this will amount to the same thing, as:
- a user is unlikely to have a bworser open for more than a week; and
- the session cookie expires when the browser closes, what amounts to
logging out.

Oscar

Signature

Oscar Kind http://home.hccnet.nl/okind/
Software Developer for contact information, see website

PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2

Reply to this Message

authentication and session tracking

Free Magazines