Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Prevent automatic session invalidate when I click a link in JSF  RSS feed

 
Kishorg Kumarn
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am developing a JSF based web application. In this, I am obtaining user credentials and comparing one with existing in DB. Upon matching, creating session and redirecting a page with all links related to that user and I am successfully accessing the session here in this page. Every thing OK upto here. But if I clicked any link in this page, a new page appears but the existing session is getting automatically expired and new session is creating. My actual requirement is not to create new session and remain with old session.

Upon giving valid loginname and password, one.xhtml is rendering with session attribute user perfectly. But when I clicked the link to two.xhtml, I am not getting session attributes. But actually I don't want to create new session even in two.xhtml. The current session is to be expired only when I clicked logout link.

Please help me. Thank you in advance.
Please find the JSF Pages, Beans and DAOs. And help me.

 
Tim Holloway
Bartender
Posts: 18713
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a technical term that I use when describing security systems such as what you have outlined. That term is "hacked".

No joke. Over 90% of all the "write-your-own-login" systems I've seen over the last decade or so working with J2EE have been easily exploitable by non-technical people in 10 minutes or less. Unless you are a full-time formally trained security export, you should not try writing your own login/security system. Nor for that matter, using one created by some in-house "genius". Security is very much a weakest-link thing and if it's something you have to do in addition to your main job, you shouldn't be doing it at all. Use the pre-written security system that comes standard as part of J2EE/JEE. Because that system was designed by full-time security experts and it avoids such common mistakes as "obtaining user credentials and comparing one with existing in DB".

It will also maintain (or create) a session. The jsessionid value changes, but that's for security reasons. The actual session and its data do not.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!