Thank you very much Hans, and also Sushma. Your explanations have made my ideas really
clearer on the subject. It is always a pleasure to see that many people can take time
to share their knowledge and abilities with other programmers. It is a very nice
attitude and I admire that behaviour.
Best regards,
Franck
----- Message d'origine -----
De : "Hans Bergsten" <[EMAIL PROTECTED]>
� : <[EMAIL PROTECTED]>
Envoy� : mercredi 10 mai 2000 20:35
Objet : Re: Session is really not a simple stuff...
> Franck Rageade wrote:
> >
>
> Comments intermixed below.
>
>
> > I still have many problems to manage my session tracking... I work on
> > an intranet portal using NT4 / IIS / Resin 1.1. When the user logs on, an
> > instance of User class is instanciated, with the user's configuration, and
> > this instance is stored in the session. It looks like that :
> >
> > <%
> > HttpSession sess = req.getSession(true);
> > MGUser mgUser = new MGUser(cookieCode, req.getServerName());
> > sess.setAttribute("sessionMGUser", mgUser);
> > %>
>
> You're working to hard, and that's why it doesn't work as you'll soon
> see. You don't have to call getSession(true); the JSP container does that
> for you automatically and assigns the result to a variable named "session"
> (unless you have specifically specified that the page does not participate
> in a session using the page directive). So here you could just do:
>
> <%
> MSGUser mgUser = MGUser(cookieCode, request.getServerName());
> session.setAttribute("sessionMGUser", mgUser);
> %>
>
> To avoid Java code in your page, you could even change MGUser into
> a JavaBean. I'm not sure where the "cookieCode" comes from, but
> assuming it's a value extracted from the request, you could then
> use these tags instead:
>
> <jsp:useBean id="sessionMGUser" scope="session" class="MGUser" >
> <jsp:setProperty name="sessionMGUser" property="request" value="<%= request
> %>" />
> </jsp:useBean>
>
> This creates an instance of MGUser and saves it in the session, if it
> doesn't exist already, and sets a property named "request" to the
> current HttpServletRequest object. You bean can then extract the
> server name and "cookieCode" from the request.
>
> > Then, at the top of every page, the User object is retrieved with :
> >
> > <%!
> > MGUser mgUser;
> > HttpSession sess;
> > %>
>
> This is dangerous. When you use the <%! ... %> construct you are creating
> instance variables in the generated servlet. Instance variables are shared
> by all concurrent requests for the page, so the value of these variables
> can be overwritten by one request while you're still serving another.
> I recommend that you *never* use JSP declarations, unless you're really
> sure about what you're doing and know how to avoid multithreading problems
> with the use of synchronization. If you really want to share some information
> between all requests for a page, I suggest you use an application scope
> bean instead, where you can handle multithreading issues with as much
> code as you want without complicating the JSP page.
>
> > <% sess = request.getSession(false);
> > if (sess==null) response.sendRedirect(AUTH_FORM_URL);
> > mgUser = (MGUser)sess.getAttribute("sessionMGUser");
> > %>
>
> The reason this fails is that you assume sess will be null if the user
> is not authenticated. In a JSP page this will never be true, since the
> JSP container inserts "session = request.getSession(true)" in the code
> automatically. Also, since you use an object in the session as your
> "authentication token", it's better to check if it's there or not as
> a test for authentication. I would do it like this (again using the
> implicit session object):
>
> <%
> MGUser mgUser = (MGUser) session.getAttribute("sessionMGUser");
> if (mgUser == null) {
> response.sendRedirect(AUTH_FORM_URL);
> }
> %>
>
>
> > when the user logs out, or kills the browser, and another user
> > tries to log in, the second user retrieves the first one's configuration !!!
>
> What do you do when the user "logs out"? I suggest that you provide
> a log out page where you invalidate the session:
>
> <%
> session.invalidate();
> %>
>
> > Can anybody explain me how to efficiently manage sessions ?
>
> I hope this helped.
>
> Hans
> --
> Hans Bergsten [EMAIL PROTECTED]
> Gefion Software http://www.gefionsoftware.com
>
> ===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
