tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "COLE,GLENN (Non-HP-SantaClara,ex2)" <glenn_c...@non.hp.com>
Subject RE: detecting timeout (was: Session Problem)
Date Thu, 04 Jan 2001 23:12:01 GMT
>> >    HttpSession session = request.getSession();
>> >    String username = (String) request.getAttribute("user");
>> >    if (username == null) {
>> >        ... the user is *not* logged on ...
>> >    } else {
>> >       ... the user *is* logged on ...
>> >    }
[snip]
>> >* If the session has timed out, a new session will be created
>> >  by the logic above -- but the "user" attribute will be missing
>> >  (because the user has not gone through your "login" yet).
>> >  Typically, you would redirect them to the login page here.

>> If the user tries to bookmark a page inside the application,
>> so they can return at a later date without signing on (a no-no),
>> the symptom appears the same.

>That's why I mentioned in the text above to do a check like this on *every*
>request.  Similar code would be needed at the top of every JSP page in a
>servlets+JSP app -- in the Struts Framework
<http://jakarta.apache.org/struts>
>example application, I demonstrate how to build a nice little custom tag
that
>does this for you so that you don't have to laboriously cut and paste the
code.

No doubt that's a much better solution than my current
<% include file="check_logged_in.jsp" %> hack.  There's
so much to learn....


>> So the question I had was:  how can I detect whether they tried this
>> "deep bookmark," or whether the session just timed out?

>If you care, you can try the "check the referer" trick, but if you're going

>to do the same thing anyway (redirect the user to the login page), does it 
>really make a difference?

To me, even though the eventual action is the same, it *does* 
make a difference.

That's because as a user, I'd like to know *why* it is that I'm
being asked to sign on, even though I did so "a little while ago."

I could probably have a more general page that would cover both
bases ("either your session timed out, or you did not use the
login page"), I'd rather be more specific, if doing so is not
an outrageous amount of work.

Thanks for the feedback, Craig!

--Glenn

Mime
View raw message