• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

About FORM based authentication

 
Abimaran Kugathasan
Ranch Hand
Posts: 2066
Clojure IntelliJ IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the HFSJ book, it's mentioned as,
Note: If you're using Form-based authentication, be sure to turn on SSL or session tracking, or your Container might not recognize the login form when it's returned.


Why do we have to use SSL for this? I know, session tracking is need to track the user who asked the restricted resource. But, How do we use SSL for session tracking? SSL used for secure transmission. For session tracking?

Thanks...
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SSL alone itself can be used for session tracking and secure transmission. Go in the specs and read the ways by which Container can perform session tracking
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2536
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Abimaran,
Note: If you're using Form-based authentication, be sure to turn on SSL or session tracking, or your Container might not recognize the login form when it's returned.
It is written in a rather difficult way, but read it like this:

If the container doesn't track sessions, the users can be asked to authenticate every time they request a URL which has a security-constraint (which is quite annoying).

SSL is used for secure transport, but it also comes with an extra feature of session tracking
SRV.7.1.2 SSL Sessions
Secure Sockets Layer, the encryption technology used in the HTTPS protocol, has a
built-in mechanism allowing multiple requests from a client to be unambiguously
identified as being part of a session. A servlet container can easily use this data to
define a session.

Regards,
Frits

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic