Currently you use the session as a isLogedIn-flag. If you use the servlet containers security mechanism then: 1.You can bundle all your jsp/servlets into a resource collection and restrict access to this resources by roles. All your jsp's then can be session="true" jsp's, because if the container let's you access any of them then it's guranteed that you are loged in. 2.You can specify your own login jsp and deploy it in web.xml. In that case you must use predefined form names for username and pwd. (think it's specified in jsp spec)
The only drawback with that approach is, that you MUST use the containers security implementation. Take tomcat 3.2.x for instance. You must choose between the simple user.xml file or a db-table (both must be configured in server.xml, interceptors section, example is given there) Ok that was many words for simply saying: let the servlet container take care about seesions and don't worry about them yourself. One thing for tomcat 3.x (is it true for 4.x also?): If you want to avoid sessions because you observed that response time with sessions on is slow then this is due to the fact that session ids are generated with a secure random generator. This generator needs some seconds to generate the very 1st number, but later on it's fast. So every time you start your servlet-container the first call of any user with session on takes unusually long. Peter ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
