• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Web application security...

 
Chris Stewart
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after I invalidate their session in a logout script).
Can anybody recommend a better way to handle security of a section of my site?
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not not sure I understand.
What are you requirements?
 
Chris Stewart
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The only req as far as security goes is to make sure nobody can access the pages in the admin section (/admin/) unless they have logged in.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have a look at the authentication and authorization that should be built into your application server. It is possible to set up a single rule stating "No-one can login to /admin/ unless I know who they are and they are allowed in there"
Letting the server take care of authentication is a lot easier and safer than trying to mane it on a per-page basis.
Dave
 
Manjunath Subramanian
Ranch Hand
Posts: 236
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I suggest you use JAAS for setting up the security module in your website.
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it
 
Chris Stewart
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Manjunath Subramanian:
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it

I don't either. I implemented the session value way last night and it invalidates just fine. I guess I'll stick with this for now.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18106
51
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the long term, you'll really gain by using JAAS and server security. My webapps have a security rule in web.xml such that URLs with /admin in the path are restricted to users in the administrator role. Thus, the security is enforced by the server and I don't have to maintain code in each and every servlet and JSP.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic