aspose file tools*
The moose likes JSP and the fly likes JSession ID issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "JSession ID issue" Watch "JSession ID issue" New topic
Author

JSession ID issue

Santhosh ayiappan
Ranch Hand

Joined: Jan 30, 2007
Posts: 80

Hi,

I have a web applicationwith many Hyper liks. Links that appear on the home page of the user are role based. Say i have 2 roles, Manager and Non Manager.

First, the user with the Manager role logs in and a JSession id is assigned to that user.
Next I login with the Non Manager role. Now i capture the JSession ID of the manager and replace it for Non Manager user.

As a result of this, the Non Manager user is able to view the links that are supposed to be displayed only for the Manager user.

Can any one help on on how this can be fixed ?

Regards
Santhosh
Piyush Mangal
Ranch Hand

Joined: Jan 22, 2007
Posts: 196
You should always check userRole when displaying link for any user. You can create custom tag to implement this functionality.
You should be maintaining logged in user information (user role as well) in session and when user logs out , clear the user details from the session and invalidates the session.
Santhosh ayiappan
Ranch Hand

Joined: Jan 30, 2007
Posts: 80

Here the session id of both the users are active. Both the users have not logged out.

Non Manager user is trying to manipulate using the JSession id of the Manager user.

Regards
Santhosh
Piyush Mangal
Ranch Hand

Joined: Jan 22, 2007
Posts: 196
Santhosh ayiappan wrote:Here the session id of both the users are active. Both the users have not logged out.

Non Manager user is trying to manipulate using the JSession id of the Manager user.

Regards
Santhosh


How can one user log in without another user logging out of application?
This is only possible if you are explicitly taking user to login screen. If this is the case, your logged in user information in session should get replaced with the recently logged in user. What is the issue here?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSession ID issue