This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Hello everyone, I have a couple of webpages that require a user to be logged in. Normally a user goes through our main web page to login, however we recently discovered that one user has bookmarked a page after he logged in and now is able to bypass the login page. Is there a way to prevent this from happening? Here is what I have for the getSession, should it be false?
I also have the timeout in web.xml set for 60 minutes.
Thank you in advance. [ December 03, 2008: Message edited by: Chris Mattmiller ]
Yes, it should be false. As it is, a session will be created if none exists. Thus the body of the if condition will never be executed.
Joined: Apr 28, 2008
Okay...I just tried that. Now after logging in, I click a link to a secure page it redirects me to the login page again. I log in again, click the link and now it takes me to the page. But if I click another link, it redirects me to the login page again. Any way to prevent the multiple logins?
and I added this to my order servlet (there is a link on secure.jsp for order.jsp)
I get redirected to the secure.jsp. When I click on the link for order.jsp I get redirected back to the login. The account number is there, but validated is null. Should I not be setting 2 different parameters?
If your session hasn't got a "validated" attribute (new session), then it will return null.
Joined: Apr 28, 2008
I think the issue lies in how everything is setup on the webserver. Right now they have a different path for the main pages (including login page) and another path for the secure pages. For more clarity: Login Pages - /webserverpath/main/login Secure Pages - /webserverpath/secure
Does that make sense? If so, could that be the issue? I just started working with this about 6 months ago, only changing a few things here and there. Never had to deal with the security end of it, and unfortunately the guy who did deal with it has been gone for over a year.