This week's book giveaway is in the Java in General forum.
We're giving away four copies of Helidon Revealed: A Practical Guide to Oracle’s Microservices Framework and have Michael Redlich on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

request authentication

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello all,

I have a small query. Suppose you have a very secured site. Now after the user has logged in, the user copies the URL from the address bar of the browser. Then in the same browser window user opens another site (google.com). Now the user pastes the copied URL in the address bar . Here the request is bypassing the login page and the user sees the first page of the application. How can this be avoided. A classic example is some banking website, for example www.icicibank.com. On this website the above situation does not arrise as ( i guess ) each and every request is being authenticated by the web application.

Please help me !!!
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Where exactly do you see the problem? A request is made to a site where the user is authenticated already. The authentication info is passed along with the request (probably either a cookie or an HTTP authentication header). Usually in these circumstances the server will remember when the last access happened, and require re-login if the time passed since then is too long (say, half an hour). Whether the browser was used to access some other site in between doesn't really matter.

On this website the above situation does not arrise as ( i guess )

Do you mean JavaRanch? It works just the same here - have a look at the cookies stored on your system for saloon.javaranch.com. You can even close the browser, and still don't need to re-login the next day.
[ April 11, 2006: Message edited by: Ulf Dittmer ]
 
Kanu Dialani
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Ulf Dittmer

I know that once the user is authenticated, the user can not enter only when the session is invalidated. But i want my requests to be comming from my pages only. If u have used the www.icicibank, then u ll come to know what i exactly mean. If the user leaves my site then they ll have to relogin to access the web app, even if the session is still valid.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could examine the REFERER HTTP header, to see if it contains an URL from your site. That header can be manipulated on the client, of course, but it makes it harder to access pages on your site coming from somewhere else.
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic