tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Roberts <techi...@ait-web.com>
Subject Re: invalidating sessions
Date Wed, 23 Jul 2003 20:56:59 GMT
I'm not sure if there is a standard/accepted method but, this is what I do.

1. Inside index.jsp, I put this:

   <%session.setAttribute("VALIDSESSION", Boolean.TRUE);%>


2. At the top of each jsp file, I put this:

try{
     Boolean validSession = (Boolean)session.getAttribute("VALIDSESSION");
} catch (Exception e) {
     response.sendRedirect( "index.jsp" );
}


This places a value in VALIDSESSION when index.jsp loads up and then checks to 
see if VALIDSESSION is still valid when each JSP file is loaded afterwards.  If 
it is not valid then the user gets redirected back to index.jsp to start over.

I use JDBCRealm and FORM AUTH, so; when my session times out, I get sent to the 
login.jsp page, then after a successful login, j_security_check tries to send me 
to the page I originally requested when my session was still active.  Since many 
pages rely on information stored in the session, errors will occur without this 
check.


To invalidate an active session, simply do this:

session.invalidate();


Hope this helps,

-- 
*******************************************
* Rick Roberts                            *
* Advanced Information Technologies, Inc. *
*******************************************

James Michelich wrote:
> A quick question about invalidating sessions:
>  
> Is there a way to detect whether a session is still active without 
> implementing some sort of login/logout scheme (i.e. is there some way to 
> invalidate a session without explicit input from the user, other than 
> simply letting it time out)?
>  
> Thanks,
>  
> James
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message