I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after I invalidate their session in a logout script). Can anybody recommend a better way to handle security of a section of my site?
Have a look at the authentication and authorization that should be built into your application server. It is possible to set up a single rule stating "No-one can login to /admin/ unless I know who they are and they are allowed in there" Letting the server take care of authentication is a lot easier and safer than trying to mane it on a per-page basis. Dave
I suggest you use JAAS for setting up the security module in your website. But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it
Joined: Sep 14, 2002
Originally posted by Manjunath Subramanian: But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it
I don't either. I implemented the session value way last night and it invalidates just fine. I guess I'll stick with this for now.
In the long term, you'll really gain by using JAAS and server security. My webapps have a security rule in web.xml such that URLs with /admin in the path are restricted to users in the administrator role. Thus, the security is enforced by the server and I don't have to maintain code in each and every servlet and JSP.
An IDE is no substitute for an Intelligent Developer.