Steve Bang wrote: > > When a user session times out and an application server's console says that > the user has been logged out, I would have assumed that the user would have > to re-authenticate to get back into the system. Instead, what I've seen on > both Tomcat and WebLogic is that pressing the Refresh/Reload button on a > browser will allow the user to continue using an application. Clearly, this > is not acceptable for many applications. Someone at work is telling me that > session logouts are merely for resource conservation, not security. > Assuming this is true, is there a recommended approach, using JSP(?) to > force reauthentication? I would have expected this to be managed by > application servers, but it seems that I need to code this behavior. Hans' > excellent book (JavaServer Pages) has a good chapter on security and > authentication, but I couldn't find any discussion about forced > reauthentication after a session timeout. > > Steve >
Hi Steve, I have also seen this in the following senario: login page login.jsp has a form that points (action) to authenticate.jsp authenticate.jsp checks for the login and sends to say loggedin.jsp. if loggedin.jsp is a frame and authenticate.jsp uses <jsp:forward> then the whole time the url stays as authenticate.jsp now, even if the session is now timed out, on pressing the reload/refresh on the browser, most browser will ask to repost data and if you select yes it will automatically send the username and password. my solution was to use response.sendRedirect() instead of <jsp:forward> this is not usually a problem when we don't use frames. of course, you need to have a session variable and check if it exists in all protected pages. Hope this was useful. ashish shrestha =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
