Bear Bibeault wrote:Checking the session itself for determining authentication is rife with problems. Don;t do it that way.
Rather, put a value into the session and check for that.
I looked into it but not sure completely how to implement/works. I tried to store user id and last accessed time in a session object. Everytime a request comes in, I caculate the difference(current-lastAccess) in the filter class and if it is less than session timeout I send it to action class otherwise I redirect it to timeout page. I tried to implement this concept but in the filter class when session is timedout (which means session object is not available)and it never made it to this function and went directly to action class. I guess I really didnt get the concept right. Can you please guide me through the process or online resources.
Thanks