On Thu, 3 Feb 2000, Mikhail A.Golovanov wrote:
> Hi all
>
> IMHO all coming from a user agent (browser) is NOT
> reliable as the general session tracking data
> except for relatively stable HTML elements. In the
> case described and other of sort it would be the best
> to remember in the session object or other persistent
> object (file?) the track record of ALL session events
> so that in every service/doPost/doGet you know exactly
> how it come and what has preceded it. The archive has
> a lot on this, and here we go again.
I second that. In a real world application, where users click the
X-button, type URLS directly, etc. I have found API based sessions a bit
problematic. They assume too much 'politically correct' behaviour, or try
to predict every weird thing a user can do.
To the original poster: a simple text file logging logins and passing
everything sensitive through a ProtectedResource servlet that checks if
login is done, could be a low-quality solution that works. Expand your
logging on a needs basis.
I understand however, that this does not assist in educating users of
correct business logics. IMHO a bit more control on the browser would be
required for that, which would undermine stateless nature of HTTP. I stray
into saying HTTP is time to get surpassed. We piggyback on a lame horse.
Hope this helps,
Kostas
>
> -----Original Message-----
> From: A mailing list for discussion about Sun Microsystem's Java Servlet API
> Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of Saifi ,Khan
> (CTS)
> Sent: Wednesday, February 02, 2000 9:11 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Entry to WebApp
>
>
>
>
> Hi:
> Consider the following scenario
> Auth -> A -> B -> C
> Now we want that for accessing the page B, the request should have
> come only after visiting A.
> One solution is to use HTTP_REFERER server variable to find the
> the URL from where the request came in.
> If others on the mailing list are aware of other approaches, I
> would like to learn about them.
> Thanks
> Saifi.
> -----Original Message-----
> From: onet-servlets [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 02, 2000 5:03 PM
> To: [EMAIL PROTECTED]
> Subject: Entry to WebApp
>
>
> Hello,
> How can I ensure exactly one entry to my web application - through an
> 'authentication page' ?
> What should I do to make other pages directly inaccessible ?
>
>
> Krzysztof
> Marcinowicz
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
