Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

bookmark not redirecting to login page

 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,
I have a couple of webpages that require a user to be logged in. Normally a user goes through our main web page to login, however we recently discovered that one user has bookmarked a page after he logged in and now is able to bypass the login page. Is there a way to prevent this from happening?
Here is what I have for the getSession, should it be false?


I also have the timeout in web.xml set for 60 minutes.

Thank you in advance.
[ December 03, 2008: Message edited by: Chris Mattmiller ]
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it should be false. As it is, a session will be created if none exists. Thus the body of the if condition will never be executed.
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay...I just tried that. Now after logging in, I click a link to a secure page it redirects me to the login page again. I log in again, click the link and now it takes me to the page. But if I click another link, it redirects me to the login page again. Any way to prevent the multiple logins?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I avoid testing the session object itself.
There are a lot of reasons why it might not be null (JSPs by default create a session object).

Instead I bind an object to session during the login process and test for the existence of that object.
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I added this code to my login servlet:


and I added this to my order servlet (there is a link on secure.jsp for order.jsp)



I get redirected to the secure.jsp. When I click on the link for order.jsp I get redirected back to the login. The account number is there, but validated is null. Should I not be setting 2 different parameters?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why are you looking for the 'validated' variable as a form parameter?

Why aren't you checking it in in session?
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
shouldn't request.getParameter("validated") return either "true" or "false", not null?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ben's point is that if you add those attributes to the session, then the session is where you need to retrieve them from. They're not request parameters.
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Chris Mattmiller:
shouldn't request.getParameter("validated") return either "true" or "false", not null?



sorry I should have had session.getAttribute("validated"), which still returns null and not "true" or "false".
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If your session hasn't got a "validated" attribute (new session), then it will return null.
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think the issue lies in how everything is setup on the webserver. Right now they have a different path for the main pages (including login page) and another path for the secure pages.
For more clarity:
Login Pages - /webserverpath/main/login
Secure Pages - /webserverpath/secure

Does that make sense? If so, could that be the issue? I just started working with this about 6 months ago, only changing a few things here and there. Never had to deal with the security end of it, and unfortunately the guy who did deal with it has been gone for over a year.
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I may have solved the problem by adding:


From my testing that seems to be working.
 
Chris Mattmiller
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nevermind thats not working either.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic