File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSession ID issue

 
Santhosh ayiappan
Ranch Hand
Posts: 80
Eclipse IDE Java Oracle
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a web applicationwith many Hyper liks. Links that appear on the home page of the user are role based. Say i have 2 roles, Manager and Non Manager.

First, the user with the Manager role logs in and a JSession id is assigned to that user.
Next I login with the Non Manager role. Now i capture the JSession ID of the manager and replace it for Non Manager user.

As a result of this, the Non Manager user is able to view the links that are supposed to be displayed only for the Manager user.

Can any one help on on how this can be fixed ?

Regards
Santhosh
 
Piyush Mangal
Ranch Hand
Posts: 196
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should always check userRole when displaying link for any user. You can create custom tag to implement this functionality.
You should be maintaining logged in user information (user role as well) in session and when user logs out , clear the user details from the session and invalidates the session.
 
Santhosh ayiappan
Ranch Hand
Posts: 80
Eclipse IDE Java Oracle
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here the session id of both the users are active. Both the users have not logged out.

Non Manager user is trying to manipulate using the JSession id of the Manager user.

Regards
Santhosh
 
Piyush Mangal
Ranch Hand
Posts: 196
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Santhosh ayiappan wrote:Here the session id of both the users are active. Both the users have not logged out.

Non Manager user is trying to manipulate using the JSession id of the Manager user.

Regards
Santhosh


How can one user log in without another user logging out of application?
This is only possible if you are explicitly taking user to login screen. If this is the case, your logged in user information in session should get replaced with the recently logged in user. What is the issue here?
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic