dcsimg
Sessions refuse to quit
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   matthew_magliocca
Posted On:   Sunday, December 16, 2001 11:54 AM

I'm trying to build a web site using html and servlets. To keep the unwanted out I have created a sign_in page which takes in passwords. Upon getting validated I putValue the confirmation of their id in the session(I use the word true) and keep checking it in the doGet methods. If the getValue method does not return true I redirect them back to the sign_in page. I thought this should stop people from being able to access the servlets without signing in. However, when I boot up TOMCAT and try to run through it, to test it out I skip ahead to a web page and access a servlet without signing in only to discover that the session still contains the Value I put there earlier. I did some experiments and once I create a session with the appropriate clearance, even if I shut dow   More>>

I'm trying to build a web site using html and servlets. To keep the unwanted out I have created a sign_in page which takes in passwords. Upon getting validated I putValue the confirmation of their id in the session(I use the word true) and keep checking it in the doGet methods. If the getValue method does not return true I redirect them back to the sign_in page. I thought this should stop people from being able to access the servlets without signing in. However, when I boot up TOMCAT and try to run through it, to test it out I skip ahead to a web page and access a servlet without signing in only to discover that the session still contains the Value I put there earlier. I did some experiments and once I create a session with the appropriate clearance, even if I shut down TOMCAT and go back, the session still contains the clearance. Why doesn't the session invalidate when I sign off and how can I fix it? Thanks!

   <<Less

Re: Sessions refuse to quit

Posted By:   Christopher_Schultz  
Posted On:   Monday, December 17, 2001 07:57 AM

First, can you give us some sample code where you get the value from the session and compare it?



Second, some servlet containers (Tomcat might be one of them, especially the newer versions) will persist sessions across restarts. This is great for users who get their servlet servers shutdown on them while they're logged-in. This might turn out to be a pain for you. Check your web.xml file for any indication of persisting sessions, and take a look at your users manual or FAQ.



If your sessions are persisting and you do not want them to, then expire the session when the user performs a logout.



-chris
About | Sitemap | Contact