We help IT Professionals succeed at work.

Session Tracking...

XDeal
XDeal asked
on
I'm currently working on a JSP application that requires user logging-in and out. In doing so, I improvised a checking formula of my own; that is, the application will first generate a random value in the Login page. Second, it will store this value in the database. Third, the randomly generated value is passed along the URL as parameter all throughout the application. Fourth, once the user logs-out, another value is generated and stored in the database to indicate the 'session' no longer exists. I couldn't use the Session object because our webserver hasn't been properly configured yet to support Javax.

So the problem I now have is this:
User A, who is using PC Machine 1, logs-in to my JSP application, while he is still in the 'session', User A e-mailed User B, who on the other hand is using PC Machine 2, the complete URL of my JSP application. This being the case, User B can now access the page User A is currently in without logging-in since the randomly generated value, as well as the other parameters being passed in the URL were copied and paste to User B.

Another question is, if PC Machine 1 hangs, then User A won't be able to properly log-out, thereby denying him to access the JSP Application upon reboot since the database will assume he is still in 'session'.

In reality, this shouldn't be the case. Is there a way I can work around these problems without using cookies or session objects? How do I achieve this?

Thanks!
Comment
Watch Question

Commented:
> Is there a way I can work around these problems without using cookies or session objects?

in fact 'session objects' use either cookie or URL rewriting (the way you do it)

> if PC Machine 1 hangs, then User A won't be able to properly log-out, thereby denying him to access the JSP Application upon reboot since the database will assume he is still in 'session'.

standard solution is
1. timeout all session object if they haven't been used for  some time
and
2. ALWAYS allow new log-ins (killing the old sessions for that)

> User A e-mailed User B, who on the other hand is using PC Machine 2, the complete URL of my JSP application. This being the case, User B can now access the page

you can try logging the IP address or some other info like HTTP headers, but note that user B will be always able to log-in using correct user name / password pair.

note that if you make your system unfriendly and hard to use, nobody will want to use it :)

Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

-Points for  heyhey_

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Venabili
EE Cleanup Volunteer

Explore More ContentExplore courses, solutions, and other research materials related to this topic.