You are right, this is not very efficient, I strongly suggest using servlets. If you do you can place all user info you would possibly need in an httpsession.
You can in fact create a new session after athentication, you can also create a class containing the attributes you want to save on each session (e.g. name, address, sex, access code etc.). For example: // this is your function to verify the user agains your DB if CheckUser(loginname, password) { HttpSession websession = request.getSession(true); // Sessions is a user made class that contains the // methods and properties you want the session to have. Sessions thissession = new Sessions(); // 30 minutes websession.setMaxInactiveInterval(1800); String sessid; // Just replace this method with one of yours. sessid=GenericTools.generateRandomSessionCode(25); websession.putValue("mysession",thissession); ((Sessions)websession.getValue("mysession")).setSessionCode(sessid); ((Sessions)websession.getValue("mysession")).setName(login_name); } getting information from your session is equally easy: HttpSession websession = request.getSession(true); if (websession.getValue("mysession")!=null) { login_name=((Sessions)websession.getValue("mysession")).getName(); } Of course your Sessions class must have the setSessionCode, setName and getName methods. Hope this helps. json At 05:41 PM 12/18/01 -0800, you wrote: >If anyone solves this it would be a great help to me as well. I am >currently using a clumsy work around that doesn't always work. > >I have a User object that contains a lot of information about the users >that could be very useful on various pages. I'd like to simply fill this >object and add it to the session upon authentication for later use. I >haven't found a way to do that yet. > >My work around is to do a pageContext.include() of a jsp that does the >following on every page. > > String name = request.getRemoteUser(); > User user = (User)session.getAttribute("USER_OBJECT"); > if(name!=null&&user==null) { > user = User.getUserByName(datasource, name); > session.setAttribute("USER_OBJECT", user); > } > >This has two problems though. >1) It's a waste of time to have to do this on every page. >2) It can create a race condition if the page it's include in needs to use >the User object immediately. If I do the following the User object >generally ends up being null. > > pageContext.include("login.jsp"); > User user = (User)session.getAttribute("USER_OBJECT"); > >I think the ability to do this properly would be a great help to a lot of >people and contribute to cleaner and faster servlet and jsp applications. >Being able to specify a method that takes the username and password to be >run on successful authentication would do it. > >-Cavan > >----- Original Message ----- >From: "Jon Weinberg" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, December 18, 2001 4:08 PM >Subject: Session > > >I am running Tomcat 4.0 with form-based authentication. I would like to >add some user-specific variables into the session as soon as the user logs >in (that is, as soon as the user logs in, I want to get the username from >the form, use it to query my DB, put some results into the user's session, >and have the user continue on to the page he originally requested.) > >I have tried a number of solutions that don't work: > >1) I've tried having the login form's action send the info to a servlet >that does the processing and then forwards the request to >"j_security_check", but that solution only works in 3.2 and not in 4.0 > >2) I have attached an HttpSessionListener, but since the session is >created before the user actually logs in, my listener does not yet have >the username and cannot complete the preprocessing. > >Is there a way for me to execute something right AFTER a user authenticates? > >Thanks, >Jon > > > >-- >To unsubscribe: <mailto:[EMAIL PROTECTED]> >For additional commands: <mailto:[EMAIL PROTECTED]> >Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>