I was thinking that leaving the session validated may cause problems elsewhere. I am now thinking I should invalidate the session when I auto logoff and then store a message for that device in some kind of device specific message queue in my application. I already track each device's unique id with a cookie, so I could look up any message for the device's login page by device id from its cookie.
Also, does it matter to wicket or the session how and from where a session gets invalidated. I mean, is ok for one session to invalidate another? I know that some of the things I am talking about may sound like overkill or useless, but this app runs on wireless pda scanning devices that are used in grocery stores. They get left on grocery shelves and can be picked up and used by anybody. The security requirements for this type of device is much different than that of a pc in an office somewhere. Thanks, > -----Original Message----- > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 04, 2008 2:12 PM > To: [email protected] > Subject: Re: Wicket-Security How do you pass an error to the login page? > > > Not required, just wise. therefor i would suggest only not > invalidating the session if you trigger an automatic logoff. if the > user himself loggs off i would definitely invalidate. > Also on an after thought, i am not sure if the app container is > automatically picking up you messing with someone else his session > (serializing it back to disk and stuff) so you might need to trigger > something manually. maybe one of the wicket devs has some insight on > this? > > Maurice > > On Tue, Mar 4, 2008 at 11:02 PM, Warren > <[EMAIL PROTECTED]> wrote: > > I have tried just logging off the user and not invalidateing > the session and > > it does work. I just wasn't sure if I was required to > invalidate it when I > > called logoff(...). > > > > > > > > > -----Original Message----- > > > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, March 04, 2008 1:10 PM > > > To: [email protected] > > > Subject: Re: Wicket-Security How do you pass an error to the > login page? > > > > > > > > > How about not invalidating the session but just log off the > user. That > > > way you can use session.error(...) and still let the user know about > > > what happened as long as they make another request before the session > > > times out. > > > > > > There is only one extra thing you need to do, > > > Starting with version 1.3.0 wasp automatically invalidates > the session > > > for you if you use session.logoff(....) > > > public boolean logoff(Object context) > > > { > > > if (securityStrategy != null && > > > securityStrategy.logoff(context)) > > > { > > > if (securityStrategy.isUserAuthenticated()) > > > dirty(); > > > else > > > invalidate(); > > > return true; > > > } > > > return false; > > > } > > > you can either choose to overwrite WaspSession.logoff or bypass the > > > session.logoff(...) and use strategy.logoff(...) directly. > > > > > > Maurice > > > > > > On Tue, Mar 4, 2008 at 7:15 PM, Warren > <[EMAIL PROTECTED]> wrote: > > > > I have a use case that says that one user can only be > logged on to one > > > > device at a time. The way I implemented this is by allowing > > > the user to log > > > > on to a second device which would intern log them off the > > > first device. I > > > > have done this by having the session look for other sessions > > > that have the > > > > same user and then logging them off of that other session. > > > This works fine, > > > > but I would like to give the user of the first device a reason > > > why they were > > > > logged off. Here is the code I am using to log the other > session off: > > > > > > > > session2 calls: > > > > > > > > session1.autoLogOff(String logOutMessage); > > > > > > > > > > > > autoLogOff(String logOutMessage) > > > > > > > > if(logoff(MyApp.getLogoffContext())) > > > > { > > > > invalidate(); > > > > error(logOutMessage); > > > > } > > > > > > > > I can not call error(logOutMessage) since the session has been > > > invalidated. > > > > And I can not pass any message to the first device since the > > > login page will > > > > be called internally when the first device makes its next > > > request and is > > > > redirected to the login page. Is there any way to pass a > message to the > > > > first device's login page after the second device has > > > invalidated the first > > > > device's session? > > > > > > > > Thanks, > > > > > > > > Warren Bell > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
