This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes Servlets and the fly likes bookmark not redirecting to login page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "bookmark not redirecting to login page" Watch "bookmark not redirecting to login page" New topic
Author

bookmark not redirecting to login page

Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
Hello everyone,
I have a couple of webpages that require a user to be logged in. Normally a user goes through our main web page to login, however we recently discovered that one user has bookmarked a page after he logged in and now is able to bypass the login page. Is there a way to prevent this from happening?
Here is what I have for the getSession, should it be false?


I also have the timeout in web.xml set for 60 minutes.

Thank you in advance.
[ December 03, 2008: Message edited by: Chris Mattmiller ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39575
    
  27
Yes, it should be false. As it is, a session will be created if none exists. Thus the body of the if condition will never be executed.


Ping & DNS - updated with new look and Ping home screen widget
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
Okay...I just tried that. Now after logging in, I click a link to a secure page it redirects me to the login page again. I log in again, click the link and now it takes me to the page. But if I click another link, it redirects me to the login page again. Any way to prevent the multiple logins?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

I avoid testing the session object itself.
There are a lot of reasons why it might not be null (JSPs by default create a session object).

Instead I bind an object to session during the login process and test for the existence of that object.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
I added this code to my login servlet:


and I added this to my order servlet (there is a link on secure.jsp for order.jsp)



I get redirected to the secure.jsp. When I click on the link for order.jsp I get redirected back to the login. The account number is there, but validated is null. Should I not be setting 2 different parameters?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Why are you looking for the 'validated' variable as a form parameter?

Why aren't you checking it in in session?
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
shouldn't request.getParameter("validated") return either "true" or "false", not null?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39575
    
  27
Ben's point is that if you add those attributes to the session, then the session is where you need to retrieve them from. They're not request parameters.
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
Originally posted by Chris Mattmiller:
shouldn't request.getParameter("validated") return either "true" or "false", not null?



sorry I should have had session.getAttribute("validated"), which still returns null and not "true" or "false".
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

If your session hasn't got a "validated" attribute (new session), then it will return null.
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
I think the issue lies in how everything is setup on the webserver. Right now they have a different path for the main pages (including login page) and another path for the secure pages.
For more clarity:
Login Pages - /webserverpath/main/login
Secure Pages - /webserverpath/secure

Does that make sense? If so, could that be the issue? I just started working with this about 6 months ago, only changing a few things here and there. Never had to deal with the security end of it, and unfortunately the guy who did deal with it has been gone for over a year.
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
I think I may have solved the problem by adding:


From my testing that seems to be working.
Chris Mattmiller
Greenhorn

Joined: Apr 28, 2008
Posts: 10
Nevermind thats not working either.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: bookmark not redirecting to login page
 
Similar Threads
problem in login
Calling action without form (Struts)
log-out problem
Redirecting to the same jsp page
session time out cheching using filter