I was wondering how most websites maintain user's login state. Do they usually place a cookie on the user's hard drive or are they somehow maintaining the state somewhere on the server side? I know that for some sites there's a 'save password' (such as this forum) and that gets done using a cookie. But how do some other sites reset to "logged off" state when the user closes the browser's window or clicks 'log out'?? Thanks I'd appreciate any advice on this issue because I need to implement this functionality using JSP.
what usually happens is that once a user is validated, a token (could be a String, an object, whatever) that indicates that user is validate is added to the HttpSession (session.putValue()). Then, each jsp that is loaded checks for the existence of that token. To logout, the token is removed or you could call session.invalidate(). The session.invalidate() is safer because it removes all session information.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR> fantastic, a towel? <HR></BLOCKQUOTE>
Originally posted by Geoff Tate: what usually happens is that once a user is validated, a token (could be a String, an object, whatever) that indicates that user is validate is added to the HttpSession (session.putValue()). Then, each jsp that is loaded checks for the existence of that token.
Also used, and slightly "cleaner", is mapping an entire section of the site to a single servlet that checks if the user has logged in. If not, the servlet redirects the user to the login page. Otherwise the request is forwarded to whatever page was requested. The disadvantage is that it incurs a bit more overhead. I understand the upcoming version of the servlet spec will have filters making this approach a bit more lightweight. - Peter
Thank you my well lotioned goddess! Here, have my favorite tiny ad!