Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • Devaka Cooray
Saloon Keepers:
  • Ganesh Patekar
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • salvin francis
Bartenders:
  • Ron McLeod
  • Frits Walraven
  • Pete Letkeman

Create new Session each time new User Login  RSS feed

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys, I am new in Servlet.
I have a index.html page with 3 button (login as user, register, login as manager). Earch option will be validate in LoginServlet, and then redirect to the specific pages
I have in my user.html and manager.html a button for logout. here i declare session.invalidate() to remove the session
when userlogin clicked, i need to create new session. The problem is whenever new user created or user login, i do not received new Session. I use Session Listener with method onSessionCreated to check if new session created or not.

here is the code for inittial new session in my LoginServlet



I  have tested on firefox. whenever i open new index.html in order to log in with multiple account. i always got the same session id

example: if i open firefox for manager login and google chrome for userlogin. i got 2 difference sesssion id. that is what i actually want.
So in conclusion: i cant have new session id whenever i created new account or use login menu  in the same browser ?




 
Ranch Hand
Posts: 207
2
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Maybe you aren't invalidating it?  You might want to show the rest of your code.
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok, after i log in as user successfully. i will be at mainmenu.jsp, otherwise  as manager i will be at serversetting.html. In all these 2 pages. i have a logout button. this logout-button is in a form which will  call the post method from Server-Servlet
In Server-Serevlet i handle the logout button action

here is the code


so first whenever any action from serversetting.html happend, the function dopost will be call and in "handlerManagerServices" i have to check if the session is sitll there. if not i have to redirect to index.html and other action will not be process. I have to do that because i need to implement a session timeout for my manager client. so whenever a manager want to take some action. i first have to check if the session has been destroy in order to redirect to index.html.


Logout Function
so the "isManager" parameter"  is to recognize, if its a manager who want to be log out or its a user.
after logout i redirect to index.html

the static variable LoginServlet.isManagerActiv is there because the definition of my project is: only 1 manager is online at a time. so i have to set it to false in order to login as manager again.



And here is the function to check manager-Login from LoginServlet




i hope its a little bit clear now.
 
Al Hobbs
Ranch Hand
Posts: 207
2
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you debugged or done tests to see if the logout method is being called?
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:Have you debugged or done tests to see if the logout method is being called?



yes i did. and the function activated

now i show you the ouput from my test with this step i did
1) log in as user.
2) open new index.html and log in as manager
3) logout as manager
4) login as manager again

I have in output something in relate to steps above like this

session created: A8311A622A4F58ACB5D6186BDEEF5091     // After login as user in step 1) i have this session id and in steps 2) when i log in as manager i do not have new session id and the session id for my manager

sessionCreated - add one session into counter
sessionDestroyed - deduct one session from counter
session destroyed: A8311A622A4F58ACB5D6186BDEEF5091  // in step 3) when i logout manager , the previous session get destroyed.
manager logout                                                                              // output manager is logout.
session created: 003115A4092AA7F6ADD1F945D9700CDF     // right after manager logout the previous session get destroy and a new session automatic created, i dont know why.
sessionCreated - add one session into counter                          // After that go to step 4) log in as manager again and i have this session id  003115A4092AA7F6ADD1F945D9700CDF

all testet in one browser with 2 tabs. The requirement of my project is: every user has after login- successfull a unique session. manager also but only one manager can access on server at same time. So i fulfill actually every condition except that every user and manager has their own session id.
 
Al Hobbs
Ranch Hand
Posts: 207
2
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, so logout works because you are getting a new session id after logging out.  That makes sense if the only place you invalidate the session is when you logout.  Are you invalidating the session when logging in? 
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:Okay, so logout works because you are getting a new session id after logging out.  That makes sense if the only place you invalidate the session is when you logout.  Are you invalidating the session when logging in? 



No, I do not invalidate the session when i log in. It does not make sense right ?. I wonder why I get automatic new session directly after i log out from manager?
It is because on the other tap, i still have user log in so tomcat server automatic create new session  for that user-login tab? Would like to hear your mind.

I have read some thread about this multiple session problem.
Some users said, it does not make sense because normally one user log in in difference computer so they will have difference session for sure. But when you log in just from difference browser tab, you canĀ“t have new session for earch user log-in because the session is save in cookies and each browser has only one cookies. So in conclusion i cant have multiple session as long as i use multiple tab on same browser ?

 
Al Hobbs
Ranch Hand
Posts: 207
2
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You want a new session after somebody logs in right? If you want a new session you have to invalidate the old one. 
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:You want a new session after somebody logs in right? If you want a new session you have to invalidate the old one. 



The quote of my project " After successfully logging, the user client receives a session identifier, which it uses for all other functions."
So I think i need new session id for every succesfully logging.
So earch user will have difference session ? its not possible that every login has difference id and base on that id I can identifie which user it was ?

 
Al Hobbs
Ranch Hand
Posts: 207
2
Netbeans IDE
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't have to login to get a session id.  Anytime you visit a site, you get a session id. When the person logins in invalidate the session then when you getSession() it will automatically make a new one for you. Done.  Dunno what base you are talking about. 
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Al Hobbs wrote:You don't have to login to get a session id.  Anytime you visit a site, you get a session id. When the person logins in invalidate the session then when you getSession() it will automatically make a new one for you. Done.  Dunno what base you are talking about. 



ok, i understand what you mean but i think it will not help in my case
.
"You don't have to login to get a session id"
+ Its in the definition of my project. When user succesfully login. it will receives a session identifier. So that mean, when user do not log in or manager do not log in, no session will be created.


"anytime you visit a site, you get a session id"
+ Thats does not solve my main question. The problem with 2 users on 2  tabs with 2 difference session id seem not possible.

 
Master Rancher
Posts: 3675
40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't control the sessions.
That's handles by the server and browser.

You'll find that a single browser (eg Chrome, Firefox etc) talking to a single website will only have the one session, no matter how many tabs you open, or browser windows.

Whoever said that not logging in will result in no session either does not understand how sessions work, or "session id" does not mean what we think it means.
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Dave Tolls wrote:You don't control the sessions.
That's handles by the server and browser.

You'll find that a single browser (eg Chrome, Firefox etc) talking to a single website will only have the one session, no matter how many tabs you open, or browser windows.

Whoever said that not logging in will result in no session either does not understand how sessions work, or "session id" does not mean what we think it means.



Ah like i said before. I was wondering because when I use 2 difference browser i have 2 difference session id.
The project description:
"a manager logs in to the server with a password. the registration is successful if the password is correct. The manager receives a session ID, which he uses for all other functions. The server only allows one manager at a time"

"A user can log in to the server with his username and password. After successful login, the user receives a session ID, which he uses for all other functions. Based on this identifier, the server can check if the functions of the user are allowed"

So to  make it clear. For demonstration I need to open 2 difference browser for manager and user in oder to have diffrence session ID because earch browser only support one session.


 
Dave Tolls
Master Rancher
Posts: 3675
40
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The wording strikes me as strange on those requirements.
"Based on this identifier [the session ID], the server can check if the functions of the user are allowed."

Maybe it's just the way it's written, but that wouldn't be how I think of a normal sessionID.
I don't think I've ever used a session ID to determine a users privileges.
 
Datdepzai Bui
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Dave Tolls wrote:The wording strikes me as strange on those requirements.
"Based on this identifier [the session ID], the server can check if the functions of the user are allowed."

Maybe it's just the way it's written, but that wouldn't be how I think of a normal sessionID.
I don't think I've ever used a session ID to determine a users privileges.



Yes, i think the sentences are not clear also. Thanks for all your help. For me to determine privileges, i just check the login information and redirect to specific page "user.jsp" or "manager.js". Theses 2 pages provide difference function and thats all. So no identifier require for determine priviledge.
 
Bartender
Posts: 19807
93
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The fatal words that started it all: "Login servlet".

We have a technical term for web applications where user-written code manages logins and security. That term is "hacked".

Unless you are a full-time trained security professional, you have no business writing your own login code and I don't cate how many J2EE books use "login" as an example. In a long and evil career with JEE and J2EE stretching all the way back to the previous millennium, I've worked with or reviewed a lot of webapp code. Some of it was for sensitive financial applications. Some of it was for military use. In my experience, something like 90% of the apps that used their own login code could be pwned by non-technical personnel in 15 minutes or less. Others here on the Ranch have reported similar observations.

A security system is only as strong as its weakest part and most do-it-your-self systems have at least one really, really weak part, and that includes the "shop standard" systems designed by the local "genius". As I said, it's something that should be done by someone who's properly trained and who isn't expected to add security as an extra part of their regular job.

The J2EE/JEE standard specification defines an authentication and authorization system that is implemented in all JEE standard containers from Tomcat and jetty all the way up to WebLogic and WebSphere. It blocks many attacks before they can get anywhere near user code, it's well-documented (something that's very rare for in-house written systems), and thoroughly debugged. I've never heard of it being breached (unlike the servlet sandbox). In most cases that is what you should be using unless you want to find tour sensitive information being sold at a discount in Romania.

And as an added benefit, the JEE container security system doesn't require you to write any login code at all. The login process is handled by the server itself automatically.

End of sermon. Now for the other admonishment.

It's unclear what exactly this "session ID" you're talking about this is, but one thing I can state flatly. You should NEVER use jsessionid as a session identifier. This is true whether you're using cookies or URL rewriting.

The jsessionid is not meaningful data. It's a "randomly" generated hash key into the server's table of HttpSession-related data. And it can change at any time. Specifically, if you have a session and you login, the session remains, but the jsessionid value changes. In other words, to prevent invasion, once logged in you cannot use the old jsessionid value to locate HttpSession, because it has been replaced. The client and server normally pass the jsessionid back and forth between themselves as requests and responses are processed and neither client nor server should be doing anything else with it.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!