• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Web application security...

 
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after I invalidate their session in a logout script).
Can anybody recommend a better way to handle security of a section of my site?
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not not sure I understand.
What are you requirements?
 
Chris Stewart
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The only req as far as security goes is to make sure nobody can access the pages in the admin section (/admin/) unless they have logged in.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have a look at the authentication and authorization that should be built into your application server. It is possible to set up a single rule stating "No-one can login to /admin/ unless I know who they are and they are allowed in there"
Letting the server take care of authentication is a lot easier and safer than trying to mane it on a per-page basis.
Dave
 
Ranch Hand
Posts: 236
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I suggest you use JAAS for setting up the security module in your website.
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it
 
Chris Stewart
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Manjunath Subramanian:
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it


I don't either. I implemented the session value way last night and it invalidates just fine. I guess I'll stick with this for now.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the long term, you'll really gain by using JAAS and server security. My webapps have a security rule in web.xml such that URLs with /admin in the path are restricted to users in the administrator role. Thus, the security is enforced by the server and I don't have to maintain code in each and every servlet and JSP.
reply
    Bookmark Topic Watch Topic
  • New Topic