I'm currently working on a JSP application that requires user logging-in and out. In doing so, I improvised a checking formula of my own; that is, the application will first generate a random value in the Login page. Second, it will store this value in the database. Third, the randomly generated value is passed along the URL as parameter all throughout the application. Fourth, once the user logs-out, another value is generated and stored in the database to indicate the 'session' no longer exists. I couldn't use the Session object because our webserver hasn't been properly configured yet to support Javax.
So the problem I now have is this:
User A, who is using PC Machine 1, logs-in to my JSP application, while he is still in the 'session', User A e-mailed User B, who on the other hand is using PC Machine 2, the complete URL of my JSP application. This being the case, User B can now access the page User A is currently in without logging-in since the randomly generated value, as well as the other parameters being passed in the URL were copied and paste to User B.
Another question is, if PC Machine 1 hangs, then User A won't be able to properly log-out, thereby denying him to access the JSP Application upon reboot since the database will assume he is still in 'session'.
In reality, this shouldn't be the case. Is there a way I can work around these problems without using cookies or session objects? How do I achieve this?