Hi,
>From what I have learned, when the session times out there really isnt any
way to notify the user, except if you have a check for a special object
that is put in the session on ANY page that is sessional based. That is to
say, JSP pages create a session automatically. But, say you have inside and
outside pages..where outside is "free floating"..anyone can view them.
Inside they have to log in to get to them. What I do is include a "header"
on every inside page that checks for the object. If it exists, they can
access the page. If it doesnt and they are trying to access an inside page
(either through a link on a page that is open in their browser, or they
have a bookmark or type in the page directly on the URL line), it redirects
them to a login page. Its pretty simple actually.
When they log in, you do something in your login method like:
HttpSession session = request.getSession(true);
MyLoginObject obj = new MyLoginObject();
... // fill in obj if need be ...
session.putValue("Login", obj);
... or session.setAttribute("Login", obj) for servlet 2.2
Then, in your HEADER that is included on inside pages you have something
like so (or, if you use Model 2, your controller servlet would have this):
HttpSession session = request.getSession(true);
if( session.getValue("Login") == null )
{
// not logged in, so either they timed out,
// or they are "illegally" accessing this page without logging in
response.sendRedirect("some_new_url.jsp");
}
else
{
// already logged in, do something here
// if need be, otherwise just let the
// flow go and it continues on to the page
}
This allows you to protect inside resources that only specialized access is
allowed to, such as logging in. If you have say a multi-level login, where
your employees have say Admin priviliges, then when they login, the object
returned would have some sort of user_level id that allows you to use it to
allow access to say special pages only if that value is above say 100 or
something. Normal users when added to the site get a value below that.
Admin might get level 100, and super admin would get leve 200 or something.
The only downside that I can see is actually figuring out if a session
timed out, or if they tried to access the page via a direct URL type in,
book-mark, etc. I dont think this is possible. Anyone know? Is there some
way when the session expires to redirect that clients web browser to a new
page?
Kevin Duffey
Software Engineer
[EMAIL PROTECTED]
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
