Hello, as said Stephan, servlets sessions are not supported.
>If a user logs in, I want to remember that they're >still logged in when they switch between pages, so they >don't have to keep re-authenticating. There is no magic. If you have a look at each request issued from the browser, you will see that there is one piece of information that contains the session id (either the cookies header or the url) => each request is somewhat "authenticated". When your browser allows cookies, the browser is in charge to generate correct request. In the case your browser does not allow cookies, the servlet container is in charge to generate right urls. Web browsers are also able to authenticate each request using real authentication based on HTTP_BASIC (coupled with https, that's better) or HTTP_DIGEST. The browser is able to ask your credentials, negotiate with the server and authenticate each requests. So, based on this browser feature (generation of requests with correct cookies values or correct basic or digest values), you can set up authentication on server side using subclasses of the Authenticator class. the aim of an authenticator is to parse the request and check that the request is sent by a known and verified user. The Restlet framework provides a ChallengeAuthenticator class that handles HTTP_BASIC and HTTP_DIGEST challenge schemes. There is no Authenticator based on cookies, but it should not be difficult to cope with it. Please note that Authorization is a second phase where the question to answer is : Is this user able to send this request to this resource? The Restlet provides another feature for that : the Authorizer class. Have a look at this page, especially at the sample code at the bottom. It should help you (http://wiki.restlet.org/docs_2.0/13-restlet/46-restlet.html) Feel free to ask for more details. Best regards, Thierry Boileau ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2590610
