generally, i would say the idea is feasible and there is no possibility for hackers to bypass this; the state of server side sessions is maintained by the server only, the client has no chance to interfere with it in an unwarranted manner (as long as you do not store an "is_authorized" property in a cookie or something ;-)
Certainly there are other architectures (e.g. a central authorization servlet etc.) but that's a matter of preference, project requirements etc.
However, the following snippet appears troublesome, i assume your JSP engine does not compile it:
<% String benutzername = <ses:attribute name="uname"/>; %> <% String passwort = <ses:attribute name="pass"/>; %>
you should write
<%
String benutzername = (String) session.getAttribute(uname);
String password = (String) session.getAttribute("pass");
%>to achieve the desired effects.
cheers Joe
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ DbForms Mailing List
http://www.wap-force.net/dbforms
