tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: servlet sendRedirect() to j_security_check problem (remember me)
Date Wed, 03 Dec 2003 23:21:00 GMT
Matt,
are you really managing to post a form to j_security_check without 
invoking it first, or is that some sort of black magic you've cooked up?

Or have I just misunderstood what Chris said?

Adam

On 12/03/2003 09:24 PM Matt Raible wrote:
> Chris,
> 
> I found your post at  
> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ 
> msg111700.html and I'm cc'ing the list in case anyone else is  
> interested in this info (I'm not subscribed).
> 
> I've actually improved the "Remember Me" feature a fair amount since I  
> posted to the Tomcat User list.  The sendRedirect works, however, it  
> (in some browsers) puts the URL (with password) into the address bar.   
> This isn't a big deal IMO since it's the user that just logged in and  
> they don't mind seeing their own passwords.  However, the URL tends to  
> show up in server log files which can be a security hole.  Because of  
> this, I changed to using an HTTP Post with Jakarta Common's HttpClient.  
>  I also moved my form-login-page and form-error-page into a "security"  
> folder and then set my cookies for the /appname/security path rather  
> than / - this makes it so the user/pass cookies are more secure and can  
> only be retrieved when logging in, rather than for any URL in the site.
> 
> That being said, I've updated one of my sample apps with these changes  
> and you can download it if you'd like:
> 
> http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
> 
> Here's my updated LoginServlet that does an Http Post instead of a Get:
> 
> http://tinyurl.com/xl80
> 
> HTH,
> 
> Matt
> 
> On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
> 
>>
>> Hi Matt,
>>
>> Sorry for sending unsolicited email but I've been looking at some
>> of your postings to Tomcat-User and wondered if I could ask a
>> couple of questions.  I've tried posting to list but had no response
>> from anyone there.
>>
>> Specifically, it's regarding your "remember me" login stuff.  If this
>> is a pain feel free to ignore this email.
>>
>>
>> Best regards
>> Chris
>>
>> p.s. My question the list was under the subject
>> "servlet sendRedirect() to j_security_check problem"


-- 
struts 1.1 + tomcat 5.0.14 + java 1.4.2
Linux 2.4.20 RH9

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message