• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Prevent automatic session invalidate when I click a link in JSF

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am developing a JSF based web application. In this, I am obtaining user credentials and comparing one with existing in DB. Upon matching, creating session and redirecting a page with all links related to that user and I am successfully accessing the session here in this page. Every thing OK upto here. But if I clicked any link in this page, a new page appears but the existing session is getting automatically expired and new session is creating. My actual requirement is not to create new session and remain with old session.

Upon giving valid loginname and password, one.xhtml is rendering with session attribute user perfectly. But when I clicked the link to two.xhtml, I am not getting session attributes. But actually I don't want to create new session even in two.xhtml. The current session is to be expired only when I clicked logout link.

Please help me. Thank you in advance.
Please find the JSF Pages, Beans and DAOs. And help me.

 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a technical term that I use when describing security systems such as what you have outlined. That term is "hacked".

No joke. Over 90% of all the "write-your-own-login" systems I've seen over the last decade or so working with J2EE have been easily exploitable by non-technical people in 10 minutes or less. Unless you are a full-time formally trained security export, you should not try writing your own login/security system. Nor for that matter, using one created by some in-house "genius". Security is very much a weakest-link thing and if it's something you have to do in addition to your main job, you shouldn't be doing it at all. Use the pre-written security system that comes standard as part of J2EE/JEE. Because that system was designed by full-time security experts and it avoids such common mistakes as "obtaining user credentials and comparing one with existing in DB".

It will also maintain (or create) a session. The jsessionid value changes, but that's for security reasons. The actual session and its data do not.
 
Won't you please? Please won't you be my neighbor? - Fred Rogers. Tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic