File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Java in General and the fly likes Login process Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "Login process" Watch "Login process" New topic

Login process

aitex abex

Joined: Jun 02, 2006
Posts: 20
I m currently working on a module in which we have to restrict user to change password when the password has expired.

I have done all the things.... suppose the password expired and user type his user name and password, the first page will open where the user must have to change password.. There is no any provision to go on another page without changing password Only user can log out from here.

But the problem is that the user can go from this page (where the user must have to change password) by writing the url address on the URL Address Bar without changing password.

What is the solution?
Please reply soon if possible.
Justin Yao

Joined: Jun 16, 2006
Posts: 19
I don't know whether your page is JSP or not.
If it is JSP, you can wirte a FLAG in session, for expample:
as soon as the user has changed his(or her) expired password,
you can change the FLAG.
You should check the flag in every page, if the password is not expired,
go to the page the user requested, or else go to the page where the user have to change his(or her) password.

Ilja Preuss

Joined: Jul 11, 2001
Posts: 14112
Can the user also access those pages by typing the URL into the browser without being logged in?

The soul is dyed the color of its thoughts. Think only on those things that are in line with your principles and can bear the light of day. The content of your character is your choice. Day by day, what you do is who you become. Your integrity is your destiny - it is the light that guides your way. - Heraclitus
Justin Yao

Joined: Jun 16, 2006
Posts: 19
I don't think user can access the page by typing a URL into browser without being logged in.
Evey function of the system should check whether a user has logged in. We can set the user infomation into the session, then check whether the infomation is there!

Jeroen T Wenting
Ranch Hand

Joined: Apr 21, 2006
Posts: 1847
If you want to make sure the user can't type in the URL to get to a protected page, put them all inside the WEB-INF directory somewhere and use a controller servlet to forward requests to them.
That way the client never gets a URL to the pages, in fact there is no such URL.
And the controller can reject any request that doesn't have the right credentials.

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Jeroen is right on the money. Users should not access JSPs directly. Read this article by JavaRanchs Bear Bibeault on how to design a web app that avoids this.
I agree. Here's the link:
subject: Login process
It's not a secret anymore!