Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSP and Session Management

 
Eric Ferrer
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am implementing a single site login web application system. As the site grows, new applications will be developed and the need for more application specific user data will grow. Currently, we do personalization by getting information about the user from a database, using a helper class and storing that information in the session object. Our JSPs has logic that controls the web presentation layer based on values found in the users session. We explicitly tell the jsps to look for values in the session scope. Should I be doing this? Does any one have any suggestings to keep jsp logic down to a minimum or none at all? I think my current decision runs the risk of having to much data in the session object.
Thanks,
Eric
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13062
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thats what sessions are designed for. A good servlet container will write excess session objects to disk if memory gets tight, so make sure the things you store are serializable.
You should not store objects that represent system resources such as database connections.
Bill

------------------
author of:
 
Roger Kerr
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Definately keep it stashed in the session. You might consider using a JavaBean with the scope set to session to interact with your helper classes, store the information from the database, and even perform some of the logic currently on your jsp.
------------------
 
Eric Ferrer
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the information, it will help me out a lot. I did some coding and I created a generic java bean that is robust and scalable for future applications and I added it to the request scope versus pciking things out of the session scope. Is this a poor design as the bean can potentially become load with lots of data?
-Eric
[This message has been edited by Eric Ferrer (edited March 06, 2001).]
 
Paul Ramsden
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Eric,
I have used a similar approach - so far, successfully!
My current headache is how to handle expired sessions gracefully. i.e. All my user information is in the session and it gets lost because the session times out. Normally I would steer the user to a log-in page and get him to log in again.
However we are using Tivoli's Policy Director which provides a single log-in. The login is performed on one of 2 servers the name of which is passed to my app so that I can call the logoout method at a later date. This information is stored with the user data in the session and also gets lost .
Does anyone have ideas where I could store such info so that it does not get lost?
Thanks
Paul
------------------
 
maha anna
Ranch Hand
Posts: 1467
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul,
Make your session objects implement HttpSessionBindingListener and implement valueBound() and valueUnbound() methods. Please refer to this thread and servlet API.
http://www.javaranch.com/ubb/Forum7/HTML/002517.html
 
Paul Ramsden
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Maha,
thanks for your reply.
My problem remains, I think.
When the session dies, I want to redirect the user out of the secure session. Using the HttpSessionBindingEvent only tells an object to tidy itself up. I have no possibility in the Unbound method to jump to a new URL (which is what I need to do in my case).
At the moment I call a method from every JSP which checks that the session still contains a valid user object. I'm not happy though with this solution.
Paul
 
maha anna
Ranch Hand
Posts: 1467
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul,
No. I think your approach is good. I also use your method of first checking if the user has properly logged and also got a user_specific session object in session as FIRST TASK in ALL servlets and ALL jsps.
The reason is, if any hacker tries to directly call one of our hidden jsps without logged properly into our web appln, our 'intelligent jsps' will guide them to 'Login.jsp'
regds
maha anna
[This message has been edited by maha anna (edited April 12, 2001).]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic