Hi Pankaj,
Couple of things you could do... first, make sure all your requests go
through Struts. That way, they'd be copying a URL with .do, so when
they paste it in, they are again going through Struts. Then, you can
check in your code that a session has been established, and then you
assure that can only happen as a result of your login process.
Second, you could throw a filter in front of every single request, again
checking for a valid session, and redirect to the login page if none is
set up.
Third, you could use container-managed security. This would be the best
in terms of no code to write (or very little, if using FORM auth) and
also in terms of overall security.
I'm sure there are other options, but those immediately come to mind.
They all share the same underlying concept though: check for a valid
session with each request, however that is accomplished, and make sure a
session can only be established by a proper login... you don't
necessarily have to check for a proper session... you could just check
for some special attribute that gets placed in session when the user
properly logs in, and at no other time... that's probably in fact better
and easier to code, and that way you don't have to worry about it if you
mess up somewhere and get a session, as long as the attribute can only
get in it during login, no problem.
Frank
Pankaj Gupta wrote:
If a user copies the URL displayed in the browser after login, and
pastes it in a new browser window, his page gets displayed. How can I
prevent such a behavior.
regards,
Pankaj
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
.
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM: fzammetti
Yahoo: fzammetti
MSN: [EMAIL PROTECTED]
Java Web Parts -
http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
