Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!)
Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo <[email protected]> wrote: > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: > > Hi, > > > > Save the logged in user id in the Session. > > > > MySession.java: > > > > private long userId; > > > > public User getUser() { > > return userService.getUserById(userId); > > } > > > > > > AnyPage.java: > > user = MySession.get().getUser(); > > > Thank you, for support and explanation code, very useful because I am a > newbie. > Just one another answer: Is it secure? > Can someone alter session data and change user data, so an hacher could > log with own account but operate with other accounts? > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to > store temporanealy in session and database and associate it to a specific > user? > > > > I added registration and user/password sign-in and checking with > database, instead of simple "wicket" as user and password. > > > All works ok, but now I need in AdminPage to known which user is > logged in. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
