Hi.
I want to retrieve the list of user file names by sending a post request from my applet to my servlet.
In my servlet, I get the current user and make sure they are logged in like so:
The problem is that session is null when the post request arrives at the servlet.
In my applet I have used:
Does anyone know what is causing this and how to overcome it?
Thanks
Apparently, it does not.
The user logs in to my page so the session is created, then the user clicks a button to access the applet. Since the applet is opened in the same browser, I hoped that it can use the cached session, but it does not.
I know one approach is to generate a temporary session string and pass it to the applet and attach it to the post requests...but is there an easier way?
Personally, I create my own user class with its own unique id system and serialize each user object to disk. That way I don't get tangled in the servlet session id system.
At its simplest that class can just hold a collection but naturally it can be much more complex.
Serializing and recovering an object to/from disk is surprisingly fast, or you can cache them.
Naturally you can keep the custom object ID in a user session, put it on forms as a hidden variable, etc etc.
Thank you William for the post. Below I reiterate the idea and please let me know if this sounds reasonable or if you think there is any security risk, please let me know as well.
on the client side:
-------
Inside the applet code, I send the access_id with the post method
-------
on the server side:
-----------
and my access_id is encrypted from something like this:
user_id+random_number
Note that this access_id is exposed in my html page and a legitimate user could attempt to reverse engineer it to make a decryption which then if the id of other users are known, this hacker can wipe out all the data of other users.
Thanks. I like your idea (using a separate session key). I made a session listener class which monitors the available sessions, but I also have to keep track of which session is a logged-in session...
so I have an ArrayList of the logged-in sessions.
Do you think this will work if in the future when I deploy my app on multiple servers on the cloud?
My concern is that if I have an array of 2 servers and 4 users, I get:
server1: live_sessions: {"ABC", "DEF}
server2: live_sessions: {"GHI","JKL"}
and server1 receives a validation request for id="GHI" which fails to work because user "GHI" was monitored on the other server.
or maybe I'm wrong and servers share memory.
Sorry, this discussion is all over the place, from security to memory sharing on the cloud.
I've realized that using a session specific password (although safer) is far more complicated on a distributed system and for that reason I'll just use a decryption system with a static key and a random seed.
It's unfortunate that there is no standard method of communication between a servlet and an applet on the same domain.
Thanks for the discussions
Any sufficiently advanced technology will be used as a cat toy. And this tiny ad contains a very small cat:
a bit of art, as a gift, that will fit in a stocking