Re: plain text login
If you check the Servlet Specs, it explains the default authentication mechanism used. It does everything you guys are coding. Christian Rauh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: plain text login
I do a similar thing with servlets. I wrote a servelt class called ProtectedResource. When its accessed, it retrieves the current servlet session. Unless a value has been set in the current session, it redirects the user to a logon page. the login page takes the login and password, checks against the db, and if ok sets a value in the session. When redirecting from the ProtectedResource I store the required page, so that aftyer a successful login you get redirected. To make this secure, all I have to do now is get tomcat working with SSL I don't know how JSP works, so I'm not sure how easy this would translate. The code I got was from the Servlet Programming book from O'Reilly. Perhaps you could wrap all protected .jsp pages in a servlet? If authorised it goes straight to the page for example.. sam - Original Message - From: Ryan To: [EMAIL PROTECTED] Sent: Tuesday, March 06, 2001 3:24 AM Subject: plain text login To make things easier, I want to make a plain text login page called login.jsp that contains a form with fields to enter username and password. Then I will submit the info to a verify page (verify.jsp) that checks to see if the username and password combination matches that which is stored in a mySQL database. I was wondering how to keep only valid users from being able to access verify.jsp. meaning not just anyone could logininto http://localhost/verify.jsp.Would a session variable be the best way to do this? Where I would store the IP of the client and a special generated ID that would be saved in the session object and appened to the url. Does this sound like a reasonable way of approaching the problem. If so, I don't see the specs for a 'Session' object and how do I obtain the IP of the client? thanx -ryan
Re: plain text login
If I understand what you're saying, the login.jsp page will include a form with two input elements, username and password, and a submit button. The action attribute will be verify.jsp. And what you're worried about is somebody skipping the login.jsp page and going straight to verify.jsp. First of all, if someone tries to go directly to verify.jsp, you're still going toi check the username and password elements which will return null if they didn't use login.jsp or otherwise fake the post. That's your first clue. If the fields are not null, then you're going to validate the user before presenting the rest of the page, so there's no problem there. If the issue is pages after verify.jsp, you can either create a session or simply create a cookie. Choosing between the two mechanisms should be pretty straight forward. If you're doing session kinds of things like an e-commerce shopping cart, for example, then create a session. But if each successive page, each get and post, etc, is really independent of all the others, such as authenticating prior to viewing a document archive, than a simple cookie will do. And in this latter scenario, if you need an inactivity timneout, use two cookies. One is a persistent cookie with max age set (persistence is implied whenever max age is a positive value). The other cookie should be a non-persistent ccokie to assure that the user has to log back in again if he or she restarts the browser (otherwise, if the machine running the browser is in some sort of public kiosk, somebody coming up to use it right after the authenticated user quit the browser and left, would be able to re-invoke the browser and take advantage of the persistent cookie which might not have timed out yet). -- Rob --On Monday, March 05, 2001 07:24:28 PM -0800 Ryan [EMAIL PROTECTED] wrote: To make things easier, I want to make a plain text login page called login.jsp that contains a form with fields to enter username and password. Then I will submit the info to a verify page (verify.jsp) that checks to see if the username and password combination matches that which is stored in a mySQL database. I was wondering how to keep only valid users from being able to access verify.jsp. meaning not just anyone could login into http://localhost/verify.jsp. Would a session variable be the best way to do this? Where I would store the IP of the client and a special generated ID that would be saved in the session object and appened to the url. Does this sound like a reasonable way of approaching the problem. If so, I don't see the specs for a 'Session' object and how do I obtain the IP of the client? thanx -ryan _ _ _ _ __ _ _ _ _ /\_\_\_\_\/\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT, /\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR /\/_/_/_/_/ /\_\ /\/_//\/_/ /\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound) Rob Tanner McMinnville, Oregon [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: plain text login
On Wed, 07 Mar 2001 00:54:34 -0800, Rob Tanner wrote: If the issue is pages after verify.jsp, you can either create a session or simply create a cookie. Choosing between the two mechanisms should be pretty straight forward. If you're doing session kinds of things like an e-commerce shopping cart, for example, then create a session. But if each successive page, each get and post, etc, is really independent of all the others, such as authenticating prior to viewing a document archive, than a simple cookie will do. Hmm.. And what do I check this cookie coming from the browser against? I mean i can't just check to see if ANY coocie is ther, i need to check for a particular value their.. I'm pretty intrested in this not-using sessions approach, but I can not understand it.. Please, Rob, could you tell more on this? Best regards, Tagunov Anthony - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
plain text login
To make things easier, I want to make a plain text login page called login.jsp that contains a form with fields to enter username and password. Then I will submit the info to a verify page (verify.jsp) that checks to see if the username and password combination matches that which is stored in a mySQL database. I was wondering how to keep only valid users from being able to access verify.jsp. meaning not just anyone could logininto http://localhost/verify.jsp.Would a session variable be the best way to do this? Where I would store the IP of the client and a special generated ID that would be saved in the session object and appened to the url. Does this sound like a reasonable way of approaching the problem. If so, I don't see the specs for a 'Session' object and how do I obtain the IP of the client? thanx -ryan