Hi,
Now that I decided to move my security framework from http
authentication to http sessions I'm getting some weird results. I always
create a session and I check if the session has been created with
isNew() if it's new and he's not trying to login, or if he is trying to
login but the data is incorrect, I invalidate the session through
HttpSession.invalidate() and then forward the request to the appropriate
page, depending on the error type (wrong password, timed out
session...). The weird thins is that if I use a
getRequestDispatcher(...).forward(...) after performing the
invalidation, then the session is not invalidated and the next request
returns isNew to false. If I write a static page to the output myself,
then the session is properly invalidated so... I wonder if I have to do
something special before/after invalidating a session. Does anybody have
any clue?
Here's some pseudocode, in case it helps...
.- Get the session
.- If session info is correct -> Allow the user to play
.- If session is incorrect
-> session.invalidate()
If error page is static
Get the writer and write the page to the stream
else
Forward the request <--- SESSION IS NOT INVALIDATED
.
Could this be a bug in my environment?
Apache 1.3.9
JRun 2.3 Build 152
Win NT
Thanks in advance,
Dan
-------------------------------------------
Daniel Lopez Janariz ([EMAIL PROTECTED])
Web Services
Computer Center
Balearic Islands University
-------------------------------------------
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
