hello, i'm currently working on a web application where we want to use the container based authentication mechanism because of its standarized character. therefore we need to use form-based authentification.
from the post within this forum i understood that the login page should never be accessed directly by the user and after the authentication the user gets redirected to the page he requested. the problem now occurs for us is that we want to have a list of all logged in users within our application, say in the servlet context. that wouldn't be the problem with a SessionListener. anyway we have the additional restriction that one user can only be logged in once at a time, say he/she can only have one session. therefore after every container based authentication process we need to check whether this user is already logged to the system and if so invalidate the session and send him/her out of the protected area. further reading in the list led me to posts of the year 2001 where people were discussing the session attribute tomcat.auth.originalLocation regarding to that topic. so with a filter it should be possible to look for that attribute, do some action and send the user either to the location stated in that attribute or outside. so what i need to know is whether i'm right with my statements above (can it be done this way) and whether there's a better more comfortable way to do that because this solution sounds a bit dirty to me. thanks for any help, ralf by the way: i tried to figure out when and from who the session is created after the authentication is complete but i couldn't figure out. can somebody explain me this? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]