If I understand what you're saying, the login.jsp page will include a
form with two input elements, username and password, and a submit
button. The action attribute will be verify.jsp. And what you're
worried about is somebody skipping the login.jsp page and going
straight to verify.jsp.
First of all, if someone tries to go directly to verify.jsp, you're
still going toi check the username and password elements which will
return null if they didn't use login.jsp or otherwise fake the post.
That's your first clue. If the fields are not null, then you're going
to validate the user before presenting the rest of the page, so there's
no problem there. If the issue is pages after verify.jsp, you can
either create a session or simply create a cookie. Choosing between
the two mechanisms should be pretty straight forward. If you're doing
session kinds of things like an e-commerce shopping cart, for example,
then create a session. But if each successive page, each get and post,
etc, is really independent of all the others, such as authenticating
prior to viewing a document archive, than a simple cookie will do. And
in this latter scenario, if you need an inactivity timneout, use two
cookies. One is a persistent cookie with max age set (persistence is
implied whenever max age is a positive value). The other cookie should
be a non-persistent ccokie to assure that the user has to log back in
again if he or she restarts the browser (otherwise, if the machine
running the browser is in some sort of public kiosk, somebody coming up
to use it right after the authenticated user quit the browser and left,
would be able to re-invoke the browser and take advantage of the
persistent cookie which might not have timed out yet).
-- Rob
--On Monday, March 05, 2001 07:24:28 PM -0800 Ryan
[EMAIL PROTECTED] wrote:
To make things easier, I want to make a plain text login page called
login.jsp that contains a form with fields to enter username and
password. Then I will submit the info to a verify page (verify.jsp)
that checks to see if the username and password combination matches
that which is stored in a mySQL database.
I was wondering how to keep only valid users from being able to
access verify.jsp. meaning not just anyone could login into
http://localhost/verify.jsp. Would a session variable be the best
way to do this? Where I would store the IP of the client and a
special generated ID that would be saved in the session object and
appened to the url.
Does this sound like a reasonable way of approaching the problem. If
so, I don't see the specs for a 'Session' object and how do I obtain
the IP of the client?
thanx
-ryan
_ _ _ _ __ _ _ _ _
/\_\_\_\_\/\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_//\/_/
/\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]