Problems in managing sessions

Dear colleagues,

OK, here goes my first post in this forum....

I'm new in Java development and I'm trying to develop an application in which I have to manage sessions to check users login previously to the access of a set of JSP pages. I'm breaking my head with sessions management and I can't identify the session that I previously created in a servlet. I mean, I have a servlet in which I check the user name and password and once the user has been validated, I include the user name in a session variable.

My problem is that in the JSP pages or filters I access after the user has been validated by the servlet, I cannot identify the variable I set in the servlet. When I do HttpSession sesion = request.getSession, I always get a different session ID. I extracted the following piece of code from the servlet in which I validate the user credentials:

HttpSession sesion = request.getSession(); if(sesion != null) { atributos = sesion.getAttributeNames(); while (atributos.hasMoreElements()) { sesion.removeAttribute((String) atributos.nextElement()); } } try { if (rs.next()) { if (rs.getString("user_pwd").compareTo(password_param) == 0) { if(sesion != null) { sesion.setAttribute ("usuario", usuario_param); } response.sendRedirect("http://localhost:8080/User/User.jsp"); } else { if(sesion != null) { sesion.setAttribute ("mensaje", "Password incorrecta para el usuario " + usuario_param); } response.sendRedirect("http://localhost:8080/Acceso/Acceso.jsp"); } } else { if(sesion != null) { sesion.setAttribute ("mensaje", "Usuario " + usuario_param + " no registrado"); } response.sendRedirect("http://localhost:8080/Acceso/Acceso.jsp"); } if(sesion != null) { System.out.println("IdSesion en CheckUser: "+sesion.getId()); atributos = sesion.getAttributeNames(); while (atributos.hasMoreElements()) { String name = (String) atributos.nextElement(); System.out.println(name + ": " + sesion.getAttribute(name)); } } else { System.out.println("No existe sesion"); } } catch(SQLException e) { e.printStackTrace(); }

So far everything works fine. The user credentials are checked correctly and the variable "usuario" is inclided in the session if everything ran OK, otherwise, the variable "mensaje" is set up.

I created a filter to check if the user has been validated before loading the next JSP Page. The code is shown below.

import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class FiltroUsuario implements Filter { private FilterConfig config; public void init(FilterConfig config) throws ServletException { this.config = config; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpSession session = ((HttpServletRequest)request).getSession(); if(session.getAttribute("usuario")==null) { RequestDispatcher dispatcher = request.getRequestDispatcher("/Acceso/Acceso.jsp"); dispatcher.forward(request, response); } else { chain.doFilter(request, response); } } public void destroy() { this.config = null; } }

Although the variable "usuario" already exists, the filter does not recognize it and therefore redirects me to the login page "/Acceso/Acceso.jsp".

Please could you help me to find out where the errors are? I guess it will be easy to find out, but as mentioned I'm quite new in Web development....

Many thanks in advance everybody.

Kind regards.

Likos.

Is your filter configured to fire even for the request that does the login logic? If so, the filter is checking before the value can be set into the session.

I also recommend a fair amount of code cleanup. All those checks for the null session can either be eliminated (are you ever really going to have a null session?) or at least consolidated to one place.

Also storing the password unencrypted and fetching it for comparison is not good security. You should be storing a hashed password, and just using a count fetch to see if a record with the encrypted value exists or not. That's also more efficient.

Dear Bear,

Thank you very much for your very useful advises. Regarding the filter problem, I found out where the problem was.
As you all may know, the session values are kept for a concrete application. As I did not have all the servlets and JSP pages yet integrated into the same application, the scopes of the sessions were different. But, OK this was finally sorted.

You’re right Bear, I’m pretty sure that the code could be very much improved, anyway this is not yet the definitive version as I included some code just for testing…

I’ll take your consideration about the way of storing and comparing passwords, with which I strongly agree. Thanks very much for it.
Sorry for having posted the code without any indentation, I was not aware of a way for a better presentation…

Kind regards and thanks again.