*
The moose likes Servlets and the fly likes JSP and Session Management Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "JSP and Session Management" Watch "JSP and Session Management" New topic
Author

JSP and Session Management

Eric Ferrer
Greenhorn

Joined: Mar 01, 2001
Posts: 2
Hi,
I am implementing a single site login web application system. As the site grows, new applications will be developed and the need for more application specific user data will grow. Currently, we do personalization by getting information about the user from a database, using a helper class and storing that information in the session object. Our JSPs has logic that controls the web presentation layer based on values found in the users session. We explicitly tell the jsps to look for values in the session scope. Should I be doing this? Does any one have any suggestings to keep jsp logic down to a minimum or none at all? I think my current decision runs the risk of having to much data in the session object.
Thanks,
Eric
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
Thats what sessions are designed for. A good servlet container will write excess session objects to disk if memory gets tight, so make sure the things you store are serializable.
You should not store objects that represent system resources such as database connections.
Bill

------------------
author of:
Roger Kerr
Greenhorn

Joined: Mar 06, 2001
Posts: 2
Definately keep it stashed in the session. You might consider using a JavaBean with the scope set to session to interact with your helper classes, store the information from the database, and even perform some of the logic currently on your jsp.
------------------
Eric Ferrer
Greenhorn

Joined: Mar 01, 2001
Posts: 2
Thanks for the information, it will help me out a lot. I did some coding and I created a generic java bean that is robust and scalable for future applications and I added it to the request scope versus pciking things out of the session scope. Is this a poor design as the bean can potentially become load with lots of data?
-Eric
[This message has been edited by Eric Ferrer (edited March 06, 2001).]
Paul Ramsden
Greenhorn

Joined: Sep 22, 2000
Posts: 28
Eric,
I have used a similar approach - so far, successfully!
My current headache is how to handle expired sessions gracefully. i.e. All my user information is in the session and it gets lost because the session times out. Normally I would steer the user to a log-in page and get him to log in again.
However we are using Tivoli's Policy Director which provides a single log-in. The login is performed on one of 2 servers the name of which is passed to my app so that I can call the logoout method at a later date. This information is stored with the user data in the session and also gets lost .
Does anyone have ideas where I could store such info so that it does not get lost?
Thanks
Paul
------------------
maha anna
Ranch Hand

Joined: Jan 31, 2000
Posts: 1467
Paul,
Make your session objects implement HttpSessionBindingListener and implement valueBound() and valueUnbound() methods. Please refer to this thread and servlet API.
http://www.javaranch.com/ubb/Forum7/HTML/002517.html
Paul Ramsden
Greenhorn

Joined: Sep 22, 2000
Posts: 28
Maha,
thanks for your reply.
My problem remains, I think.
When the session dies, I want to redirect the user out of the secure session. Using the HttpSessionBindingEvent only tells an object to tidy itself up. I have no possibility in the Unbound method to jump to a new URL (which is what I need to do in my case).
At the moment I call a method from every JSP which checks that the session still contains a valid user object. I'm not happy though with this solution.
Paul
maha anna
Ranch Hand

Joined: Jan 31, 2000
Posts: 1467
Paul,
No. I think your approach is good. I also use your method of first checking if the user has properly logged and also got a user_specific session object in session as FIRST TASK in ALL servlets and ALL jsps.
The reason is, if any hacker tries to directly call one of our hidden jsps without logged properly into our web appln, our 'intelligent jsps' will guide them to 'Login.jsp'
regds
maha anna
[This message has been edited by maha anna (edited April 12, 2001).]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSP and Session Management
 
Similar Threads
regarding scope level
long post IBM.158
New forum for Sun Certified Web Component Developer
J2EE Recommended Reading
Problem while using session for transferring huge data from controller to session