Solved

different path, different sessions!

Posted on 2003-10-24
14
289 Views
Last Modified: 2010-04-01
Currently i am faced with a somewhat annoying problem, i have no idea what i did wrong.
The problem has to do with session tracking,
Currrently, i am coding a site , which inlcudes a logging in function. It should be a on time login. meaning, once he logs in, everywhere he goes in my site, the session variables which was set when he logged in should stay with him (and so the session should also stay with him).

okie. heres the part which gives the problem. Imagine this, i am using frames, the top frame has the table that houses the form for the user to type in his username and pass,  The frame is stored in the root of the web server

heres part of the code;
<form name="form1" method="post" action="<%=response.encodeURL(request.getContextPath()+"/Member/LogInProcess.jsp)%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
          <!--DWLayoutTable-->
          <tr>
            <td height="24" colspan="2" bgcolor="#99CCFF"><font align="left" color="#003399" size="2" face="Arial, Helvetica, sans-serif"><b>Member
              Login</b></font></td>
            <td colspan="3"><font color="#006699" size="2" face="Arial, Helvetica, sans-serif"><a href="Member/classes/SunnyTimes/Member/Register.jsp" target="mainFrame">Register?</a></font></td>
            <td colspan="5"><font color="#006699" size="2" face="Arial, Helvetica, sans-serif"><a href="Member/classes/SunnyTimes/Member/RetrievePass.jsp" target="mainFrame">Forgotten
              your password?</a></font></td>
          </tr>
          <tr>
            <td width="80" height="24" valign="top"><font color="#003399" size="2" face="Arial, Helvetica, sans-serif"><b>Username:</b></font></td>
            <td colspan="2"><input name="Username" type="text" id="Username" size="15"></td>
            <td width="3">&nbsp;</td>
            <td colspan="2" align="center" valign="top"><font color="#003399" size="2" face="Arial, Helvetica, sans-serif"><b>Password:</b></font></td>
            <td width="1">&nbsp;</td>
            <td width="91"><input name="Password" type="password" id="Password3" size="15"></td>
            <td width="47" valign="top"><input type="submit" name="Submit" value="Login"></td>
            <td width="104">&nbsp;</td>
          </tr>
          <tr>
            <td height="0"></td>
            <td width="39"></td>
            <td width="51"></td>
            <td></td>
            <td width="77"></td>
            <td width="9"></td>
            <td></td>
            <td></td>
            <td></td>
            <td></td>
          </tr>
        </table>
      </form>

as you can see.. the form posts to a loginProcess.jsp . That page is situated into another directory (namely "/Membe/LoginProcess.jsp"). I did encode the URL, but it would seem that the session is different there.

Now for the problem,

I have a session variable in the loginprocess.jsp that i set when the user successfully logs in. This session variable is suppose to store the authentication level ( member, admin, moderator) of the user. once the setting of the variable is done, i redirect the page back to the root folder's frame... (the one housing the form that enables the user to log in.) But this time is different, i check the authentication by checking the session variable i set in LoginProcess.jsp. Problem : The value is ALWAYS null....

after some testing, i found out that the session object is always renewed once a page that is not on the same directory of the requesting page. ( and if the page is redirected back, the original session object takes over.)
A graphic representation is as follows

page A, sessionID A, directory A ----gets redirected into (with URL rewriting)-------->
---> page B ,sessionID B directory B.

what i wish to obtain

page A, sessionID A, directory A ----gets redirected into (with URL rewriting)-------->
---> page B ,sessionID A directory B.

Is it possible??

If not, is there a way for me ( a person using frames ) to have a login that enables the user to stay authenticated everywhere he goes in my site (irregardless of which page in which directory)


Thanks. Advice needed urgently.

Eric


0
Comment
Question by:Erctheanda
  • 7
  • 4
  • 3
14 Comments
 
LVL 2

Expert Comment

by:Karaa
Comment Utility
disable the cookies
In server.xml. "noCookies" set to true
<Context path="/Member" docBase="Member" debug="0"   cookies="false" reloadable="true" crossContext="true">

0
 
LVL 2

Expert Comment

by:Karaa
Comment Utility
"null" may be
if the cookies of the browser have been disable.

response.encodeURL() will add session id parameter to url if the browser doesn't support cookies. Otherwise, the url remain the same.
0
 
LVL 2

Expert Comment

by:Karaa
Comment Utility
Member/classes/SunnyTimes/Member/RetrievePass.jsp
This path is little confusing "Member comming twice"? better to use once
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
As long as Dir A and Dir B under same context, that means they belong to same web application. you should always have same session regardless of where you are.

Which server and which browser are you using?

Some intergrated IDE browser have big problem to track session, use IE or Netscape to test.

If you still have problem, post your WEB-INF/web.xml file.
0
 

Author Comment

by:Erctheanda
Comment Utility
I think my question is misundestood. Sorry for my expression. English is not my strong point..

Situation is as follows.

I have 2 WARs--- WAR A and WAR B-- each belonging to their respective EARs -- WAR A belongs to EAR A, WAR B belongs to EAR B.---

Therefore now i have 2 pages. A.jsp belongs to WAR A. B.jsp belongs to WAR B.

what i am getting.

A.jsp with sessionid AAA --- redirects to---- B.jsp with sessionID BBB


What i want,

A.jsp with sessionid AAA --- redirects to --- B.jsp with sessionID AAA


Can the above be done?

If not, any ideas? the above is to faciltate the login of a member into my site.
Aim is that once he logs in, he won't have to login anymore regardless of where he goes in MY SITE.

Thanks for the replies, but more help is needed.

Eric
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 250 total points
Comment Utility
No, there is not such thing that session can be access cross web app ( or cross war/servlet context, they are all same thing).

The problem is that you are not using the standard J2EE security, otherwise you should be having such problem, use will only need to login once and you can get user credential in all web apps using request.getUserPrincipal() and request.isUserInRole(java.lang.String role) to get username and determine if user is in certain role.

java web security tutorial:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

api:
http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
sorry it should read as:
otherwise you shouldn't be having such problem, with java web security, user is only required to loin once and ......
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Erctheanda
Comment Utility
Okie.. thanks Kenneth.

It is possible to use the J2EE security to authenticate users.

But is it possible to add users to a realm programmatically?

Meaning.. is there such a thing as

AddUser(String username, String pass, String Group)

in the API? if not.. I would have to manaully Key in the user' details into the server's database... That would mean.. everytime a person registers at my site, he would have to wait 2-3 days before an admin comes along to add his name into the server??

Please help once more... thanks
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
There is no standard API for user management. SUN leaves this to j2ee server vendor, so it is per server dependent. But this is doable for most servers. take tomcat as an example.

by default tomcat uses an xml file as user repository. but it can also be configured to use database tables to store user/group info. you can easily use JAXP or JDBC to manage your xml or database user repository programmacally.

tomcat also come with an admin app, which not only let you adminstrate user/group from a webapp, but also provide source code to show you how to do it programmatically.

Let me know if you have further enquires.
0
 

Author Comment

by:Erctheanda
Comment Utility
Is there a docu or URL or guide to tell me how to get J2EE sever ( the one that comes with J2EE 1.3.1) to use a database table as a user repository?

thanks kenneth for the replies. you have been most helpful. but if i accept your answer now, i would have to close the question. Do bear with me for a while longer.

Thanks again.

Eric
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
I don't use j2ee reference implmentation (J2EE RI). It might possible to use database table as user repository but I don't know how.

the sun's j2ee RI includes a customized version of tomcat as its servlet container. unless you want to use ejb and web services. I would suggest to use tomcat directly. The RI was designed for easy to use. Good for leaning and testing, but not for advanced programming, and definately should not be deployed to a production server.

If you are planning something for production environment. Look into Tomcat, if you need ejb, try out JBoss.
0
 

Author Comment

by:Erctheanda
Comment Utility
Many Thanks kenneth. I will look into it.
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
something just come to my mind.

If the user id is the only information you would like to sure accross the applications. You might want to consider to store a cookie in browser side, you can set the cookie to site level. This approach is not so secure because somebody can fake a cookie and gain access to your site. But it could be an easier solution if your site doesn't require strong security.
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
My pleasure and thanks for the A grade.
some additional information might help you if you would like to try Tomcat DBrealm:
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html?page=2
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now