tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 16:29:48 GMT
Rick Bosch wrote:

> <%@ page session="false" %>
> is what i was looking for, but now I have to put that on every page?

Yes, if what you want is to avoid session creation.

>  Can I
> specify this as the default in server.xml instead of the other way around?

No ... the behavior is defined in the JSP specification.

As you can see, checking for the presence or absence of a session is not a very
useful mechanism.  Most applications that want to enforce their own security scheme
will put a user object into the session attributes on successful login, and check
for the presence of that object.  The absence of the object means that either the
user logged out (and you removed it), or the session was invalidated or timed out,
and a new one was created.

> rick

Craig McClanahan

View raw message