On Thu, 31 Oct 2002, Guru Mandavia wrote:
> Date: Thu, 31 Oct 2002 09:21:18 -0500 > From: Guru Mandavia <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: keeping user logged in using j_security_check > > Thanks Ralph. But can't I force j_security to read an existing cookie? No. > how do i map the sessionid back to the user in case he closed his > browser? You cannot. Enabling this would be a security problem, because the browser would be writing the session id cookie to disk on the client machine, where it is susceptible to being snooped. In the standard approach, the browser caches the session id cookie only in memory, where it would be much harder (but not impossible) for someone with access to the client's machine to swipe. Are you trying to implement "remember me" functionality like portal sites do? If so, you should use a separate cookie for that, because the user will be running a different HttpSession each time they log in. And you won't be able to use container-managed security without writing some container specific code (in Tomcat 4.x, you'd need a Valve). > > Thanks, > Guru Craig -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
