Preventing Bookmarks

Hi,

I want to prevent the user from using bookmarked links to access pages deep in my application.

When a bookmarked link is accessed, my application might throw an error if that page expects to find a previously initialized session scope bean. Yes I am using JSF, but I think this post is more relevant in this forum.

Now, I am trying to write a filter to prevent such occurances. I have a request.getSession().isNew()

The problem is, when a user visits a bookmarked link, the server presents the login form (my filter is never invoked here), by the time the user enters username and password and logs in, the session is already created and the session.isNew() returns with a false.

Is there any way around this?

Thanks,
Dushy

I do this by putting an object in session after a successful login.

Each page (using a filter) checks for the existance of that object.
If it's not there, then I forward the user to the login page.

No. In fact, some of the most successful security exploits on the Internet have been accomplished because a person (or program) can throw any text it likes at your server.

If you have deep-content pages interesting enough to bookmark, you should welcome the user, not thwart him/her. You can't control people's browers anyway. The best you can do anyway is synthesize temporary URIs that become meaningless when used at a later time.

I understand that you may need some context, however. Where possible, I recommend using wrapper services so as to minimize the manual maintenance of this aspect. That is, use container-based authorization rather than coded-in login logic, filters to detect lack of defined resources and create them (or redirect to a page where they can be created) and so forth.

As a last resort, custom JSP tags/servlet frontend logic can be used, but the first time you forget to include one on a newly created page, you've blown a hole in your system.

You can close the direct access to your "internal" pages via filters.

Originally posted by Dushy Inguva:
Hi,

I want to prevent the user from using bookmarked links to access pages deep in my application.

When a bookmarked link is accessed, my application might throw an error if that page expects to find a previously initialized session scope bean. Yes I am using JSF, but I think this post is more relevant in this forum.

Now, I am trying to write a filter to prevent such occurances. I have a request.getSession().isNew()

The problem is, when a user visits a bookmarked link, the server presents the login form (my filter is never invoked here), by the time the user enters username and password and logs in, the session is already created and the session.isNew() returns with a false.

Is there any way around this?

Thanks,
Dushy

Don't try to control your users.. you can't.

A better approach would be to check for that session object that you need, and if not found redirect the user to the main page, or to the page where that session object is created, then even if the user bookmarks page:
http://yourpage.com/productResults he would be redirected to, say, http://yourpage.com/index, and only after he did the valid navigation you have decided for your site he would be able to enter that second results page.