tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Tanner <>
Subject Re: plain text login
Date Wed, 07 Mar 2001 08:54:34 GMT
If I understand what you're saying, the login.jsp page will include a 
form with two input elements, username and password, and a submit 
button.  The action attribute will be verify.jsp.  And what you're 
worried about is somebody skipping the login.jsp page and going 
straight to verify.jsp.

First of all, if someone tries to go directly to verify.jsp, you're 
still going toi check the username and password elements which will 
return null if they didn't use login.jsp or otherwise fake the post. 
That's your first clue.  If the fields are not null, then you're going 
to validate the user before presenting the rest of the page, so there's 
no problem there.  If the issue is pages after verify.jsp, you can 
either create a session or simply create a cookie.  Choosing between 
the two mechanisms should be pretty straight forward.  If you're doing 
session kinds of things like an e-commerce shopping cart, for example, 
then create a session.  But if each successive page, each get and post, 
etc, is really independent of all the others, such as authenticating 
prior to viewing a document archive, than a simple cookie will do.  And 
in this latter scenario, if you need an inactivity timneout, use two 
cookies.  One is a persistent cookie with max age set (persistence is 
implied whenever max age is a positive value).  The other cookie should 
be a non-persistent ccokie to assure that the user has to log back in 
again if he or she restarts the browser (otherwise, if the machine 
running the browser is in some sort of public kiosk, somebody coming up 
to use it right after the authenticated user quit the browser and left, 
would be able to re-invoke the browser and take advantage of the 
persistent cookie which might not have timed out yet).

-- Rob

--On Monday, March 05, 2001 07:24:28 PM -0800 Ryan 
<> wrote:

> To make things easier, I want to make a plain text login page called
> login.jsp that contains a form with fields to enter username and
> password. Then I will submit the info to a verify page (verify.jsp)
> that checks to see if the username and password combination matches
> that which is stored in a mySQL database.
> I was wondering how to keep only valid users from being able to
> access verify.jsp. meaning not just anyone could login into
> http://localhost/verify.jsp.  Would a session variable be the best
> way to do this? Where I would store the IP of the client and a
> special generated ID that would be saved in the session object and
> appened to the url.
> Does this sound like a reasonable way of approaching the problem. If
> so, I don't see the specs for a 'Session' object and how do I obtain
> the IP of the client?
> thanx
> -ryan

       _ _ _ _           _    _ _ _ _ _
      /\_\_\_\_\        /\_\ /\_\_\_\_\_\
     /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
    /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
   /\/_/_/_/_/ /\_\  /\/_/    /\/_/
  /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
  \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)

  Rob Tanner
  McMinnville, Oregon

View raw message