You could put the following page directive on your login? .jsp page: <%@ page session="false" %>
David Stevenson On Mon, 2004-11-29 at 20:35, Frank W. Zammetti wrote: > Yes, the session is created automagically when a servlet-served resource > is accessed (meaning things other than HTML, images, things like that). > JSPs and servlets in other words. I seem to remember a config switch > to turn this off, but that's how it generally works, and this is usually > how other app servers work too AFAIK. > > There are ways to deal with the, the way I generally do it is simply to > check for some known object in session. This object is only placed in > session from my logon process. So, if it's not there at any other time, > the user hasn't been validated. Cue whatever error/redirection logic > you want at that point. I think this is a fairly typical approach. > > This confused the hell out of me for a while too... It's a bit > counterintuitive, especially when there exists API functionality to > create a session or use an existing one. The logic there I suppose is > that you may want to discard the automatically-created session in favor > of your own during a logon process for instance, but I'm not sure I see > the reason for doing that. > > In any case, you aren't seeing anything unusual here, it's simply > something you have to deal with one way or another (or find out the > config switch to turn it off, if my memory is serving me correctly in > saying it exists at all). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
