I m currently working on a module in which we have to restrict user to change password when the password has expired.
I have done all the things.... suppose the password expired and user type his user name and password, the first page will open where the user must have to change password.. There is no any provision to go on another page without changing password Only user can log out from here.
But the problem is that the user can go from this page (where the user must have to change password) by writing the url address on the URL Address Bar without changing password.
What is the solution? Please reply soon if possible. Bye.
Hello, I don't know whether your page is JSP or not. If it is JSP, you can wirte a FLAG in session, for expample: request.getSession().setAttribute("expired","true"); as soon as the user has changed his(or her) expired password, you can change the FLAG. You should check the flag in every page, if the password is not expired, go to the page the user requested, or else go to the page where the user have to change his(or her) password.
Can the user also access those pages by typing the URL into the browser without being logged in?
The soul is dyed the color of its thoughts. Think only on those things that are in line with your principles and can bear the light of day. The content of your character is your choice. Day by day, what you do is who you become. Your integrity is your destiny - it is the light that guides your way. - Heraclitus
Joined: Jun 16, 2006
Hi, I don't think user can access the page by typing a URL into browser without being logged in. Evey function of the system should check whether a user has logged in. We can set the user infomation into the session, then check whether the infomation is there!
If you want to make sure the user can't type in the URL to get to a protected page, put them all inside the WEB-INF directory somewhere and use a controller servlet to forward requests to them. That way the client never gets a URL to the pages, in fact there is no such URL. And the controller can reject any request that doesn't have the right credentials.