I have observed that different servlet engines treat
sessions differently. Consequently, I have made it my
best practices to not rely on them completely as has
been done in the example in this thread.
Far better, say I, to create a class like UserSession
that implements HttpSessionBindingListener. When your
user logs in, place a UserSession for that user in the
session. When they log out, or are timed out, the
UserSession will be removed. Make this your check
point......
//Nicholas
--- "Mikhail A.Golovanov" <[EMAIL PROTECTED]> wrote:
> 1. I do not know exactly but it seems that any GET
> or POST
> from that previous user's page will be followed by
> the
> creation of a new session (the session in the
> context of
> which this page was issued is invalidated already,
> isn't it).
>
> 2. What prevents you from checking whether the
> requested
> GET or POST is allowed for the user owning the
> session
> No. 2? The servlet validates the session; you then
> (in doGet/doPost) validate the action requested.
>
> > -----Original Message-----
> > From: A mailing list for discussion about Sun
> Microsystem's Java Servlet
> > API Technology.
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Punam
> > Chordia
> > Sent: Thursday, February 03, 2000 6:09 AM
> > To: [EMAIL PROTECTED]
> > Subject: Doubt about sessions...
> >
> > Hi friends,
> > I have a doubt regarding sessions.
> > Initially i shall give a background of what iam
> trying to do.
> > I have a system in which a user logs in and
> according to
> > his priority a menu is displayed.
> > Suppose, a higher priority user performs the
> following steps:
> > * logs in
> > * performs some task
> > * logs out.
> > Now when he logs in i will create a new session
> for him.
> > Say he has session ID 1.
> > When he logs out, i will invalidate the session.
> > Now IN THE SAME BROWSER WINDOW, another user logs
> in, who is of lesser
> > priority
> > that the previous user.Say he gets a session id 2.
> > He can use the back button of the browser to
> access the high priority
> > user's screen
> > and perform any functionality as the servlet will
> just validate
> > the session
> > id(2 is valid)
> > and let the user perform the task.
> > I dont want this to happen.
> > Any pointers are most welcome.
> >
> > Regards,
> >
> > Punam Chordia
> > ITL Infosys
> > Pune Infotech Park
> > 91-02139-32800 Extn. 2025
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED]
> and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives:
>
http://archives.java.sun.com/archives/servlet-interest.html
> Resources:
>
http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help:
> http://www.lsoft.com/manuals/user/user.html
>
=====
"Suzie, Suzie, Suzie, Suzie
Suzie, Suzie Greenberg"
Suzie Greenberg, Phish
--
Nicholas Whitehead
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
