Re: How to prevent direct access to login.jsp

Tue, 09 Dec 2003 07:15:22 -0800 

I realize that you're asking if there is a Tomcat-configurable solution to
this problem .... but that isn't the best way to handle this in the Java
world.

The Tomcat-configurable way might be to force a directory (or web-app) to
force a new hit to the server instead of allowing the page to be cached in
the browser.   I'm not sure how you do this, but I am sure someone does.

There is also a way to put a directive in the JSP page that forces it to
refresh every time the page is hit ... there's a way to do it, but I've
since forgotten .... yeah, I know, I am just so full of information.

My personal best way to solve this is to use Servlets ... if my user goes to
my login.jsp page, that's fine ... when they submit though it goes to a
Login Servlet which does all the work and then re-directs to the login.jsp
page with errors or failed validation.  The Servlet uses a javabean to query
the database, and if all is well, then the servlet redirects to the web-site
itself.  The Login Servlet also sets a user object in session ... so that if
a user tries to bookmark a URL ... if the user object doesn't exist (because
of timing out, or whatever), then I redirect them back to the login.jsp.

I know a lot of people don't like that because they have server farms and
the user has to be re-directed back to the same machine and objects in
session take-up system memory.   But, I don't put a lot into that object,
it's very minimal, and I don't get many users for it to be an issue, and I
bumped up the memory on that web-server anyway.

Hope this helps.         Thanks.

                              Tom

----- Original Message ----- 
From: "Chaikin, Yaakov Y (US SSA)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 08, 2003 5:59 PM
Subject: How to prevent direct access to login.jsp


Hi,

I realized that my user can mess himself by bookmarking the login page
he is asked to log in. The login.jsp appears in the URL address in the
browser...

Does anyone know how to avoid this? How do I block that URL for the user
and not for the server?

Thanks.

Yaakov Chaikin
Software Engineer
BAE SYSTEMS
301-838-6899 (phone)
301-838-6802 (fax)
[EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to