tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: JDBCRealm - Session not timing out
Date Thu, 10 Jul 2003 18:07:53 GMT
Adding objects:

HttpSession session  = request.getSession();
session.setAttribute("foo", "Foo");



If at some point in your code, you want to "log out" a user,
session.invalidate();
Then when they request a protected resouce , the container "ought" to
re-authenticate them through FORM auth, because the session is where the
container "ought" to store this info.  But Again, I don't *know* this
for certain.

There are plenty of other methods of interest on session.  You might
also read the javadocs for request.getSession() and the differences when
you supply a boolean parameter in that method.
 
The jsession_id in your addressbar means only that the server cannot
determine (yet) if cookies are enabled on your client, and has
re-written the URL to contain the (in your case new) session id. Once
cookies are confirmed, the URL is no longer rewritten, unless you
container supports a configuration where URL rewriting is *always* done
(like iPlanet). 


> -----Original Message-----
> From: Rick Roberts [mailto:techinfo@ait-web.com] 
> Sent: Thursday, July 10, 2003 12:56 PM
> To: Tomcat Users List
> Subject: Re: JDBCRealm - Session not timing out
> 
> 
>  > I'm not entirely sure about Form AUTH, but Basic AUTH doesn't use
>  > sessions.  The browser caches the login information provided and
>  > re-sends it on each request.  So, there is no real "time 
> out" for Basic
>  > AUTH.  The only equivalent would be to close all open 
> browsers.  This
>  > deletes the cache of the Basic AUTH credentials forcing the user to
>  > re-enter it once a new browser is opened and the protected 
> web site is
>  > re-visited.
> 
> And that is exactly why Basic AUTH is unacceptable.  The only 
> way to login-in 
> with different user credentials is to kill all instances of 
> your browser.
> 
> I have seen references (hints) about invalidating the session 
> to force a 
> re-login.  However; I can not find any information that 
> explains how / when the 
> session is created or how I can use that session.
> 
> (I use frequently use session objects and am familiar with 
> how they work, but 
> using JDBCRealm is new to me)
> 
> When I set up for Form AUTH and navigate to the test URL, I 
> see the following:
> 
http://localhost/hd/login.jsp;jsessionid=9385A2CD74946FCFF922CC327699E22
E

Which seems to indicate that a session has been created.

Now, if it has been created, how can I use it?  I would like to add my
objects 
to the session object.

-- 
*******************************************
* Rick Roberts                            *
* Advanced Information Technologies, Inc. *
*******************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message