different path, different sessions!

Currently i am faced with a somewhat annoying problem, i have no idea what i did wrong.
The problem has to do with session tracking,
Currrently, i am coding a site , which inlcudes a logging in function. It should be a on time login. meaning, once he logs in, everywhere he goes in my site, the session variables which was set when he logged in should stay with him (and so the session should also stay with him).

okie. heres the part which gives the problem. Imagine this, i am using frames, the top frame has the table that houses the form for the user to type in his username and pass,  The frame is stored in the root of the web server

heres part of the code;
<form name="form1" method="post" action="<%=response.encodeURL(request.getContextPath()+"/Member/LogInProcess.jsp)%>">
        <table width="100%" border="0" cellspacing="0" cellpadding="0">
            <td height="24" colspan="2" bgcolor="#99CCFF"><font align="left" color="#003399" size="2" face="Arial, Helvetica, sans-serif"><b>Member
            <td colspan="3"><font color="#006699" size="2" face="Arial, Helvetica, sans-serif"><a href="Member/classes/SunnyTimes/Member/Register.jsp" target="mainFrame">Register?</a></font></td>
            <td colspan="5"><font color="#006699" size="2" face="Arial, Helvetica, sans-serif"><a href="Member/classes/SunnyTimes/Member/RetrievePass.jsp" target="mainFrame">Forgotten
              your password?</a></font></td>
            <td width="80" height="24" valign="top"><font color="#003399" size="2" face="Arial, Helvetica, sans-serif"><b>Username:</b></font></td>
            <td colspan="2"><input name="Username" type="text" id="Username" size="15"></td>
            <td width="3">&nbsp;</td>
            <td colspan="2" align="center" valign="top"><font color="#003399" size="2" face="Arial, Helvetica, sans-serif"><b>Password:</b></font></td>
            <td width="1">&nbsp;</td>
            <td width="91"><input name="Password" type="password" id="Password3" size="15"></td>
            <td width="47" valign="top"><input type="submit" name="Submit" value="Login"></td>
            <td width="104">&nbsp;</td>
            <td height="0"></td>
            <td width="39"></td>
            <td width="51"></td>
            <td width="77"></td>
            <td width="9"></td>

as you can see.. the form posts to a loginProcess.jsp . That page is situated into another directory (namely "/Membe/LoginProcess.jsp"). I did encode the URL, but it would seem that the session is different there.

Now for the problem,

I have a session variable in the loginprocess.jsp that i set when the user successfully logs in. This session variable is suppose to store the authentication level ( member, admin, moderator) of the user. once the setting of the variable is done, i redirect the page back to the root folder's frame... (the one housing the form that enables the user to log in.) But this time is different, i check the authentication by checking the session variable i set in LoginProcess.jsp. Problem : The value is ALWAYS null....

after some testing, i found out that the session object is always renewed once a page that is not on the same directory of the requesting page. ( and if the page is redirected back, the original session object takes over.)
A graphic representation is as follows

page A, sessionID A, directory A ----gets redirected into (with URL rewriting)-------->
---> page B ,sessionID B directory B.

what i wish to obtain

page A, sessionID A, directory A ----gets redirected into (with URL rewriting)-------->
---> page B ,sessionID A directory B.

Is it possible??

If not, is there a way for me ( a person using frames ) to have a login that enables the user to stay authenticated everywhere he goes in my site (irregardless of which page in which directory)

Thanks. Advice needed urgently.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

disable the cookies
In server.xml. "noCookies" set to true
<Context path="/Member" docBase="Member" debug="0"   cookies="false" reloadable="true" crossContext="true">

"null" may be
if the cookies of the browser have been disable.

response.encodeURL() will add session id parameter to url if the browser doesn't support cookies. Otherwise, the url remain the same.
This path is little confusing "Member comming twice"? better to use once
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

As long as Dir A and Dir B under same context, that means they belong to same web application. you should always have same session regardless of where you are.

Which server and which browser are you using?

Some intergrated IDE browser have big problem to track session, use IE or Netscape to test.

If you still have problem, post your WEB-INF/web.xml file.
ErctheandaAuthor Commented:
I think my question is misundestood. Sorry for my expression. English is not my strong point..

Situation is as follows.

I have 2 WARs--- WAR A and WAR B-- each belonging to their respective EARs -- WAR A belongs to EAR A, WAR B belongs to EAR B.---

Therefore now i have 2 pages. A.jsp belongs to WAR A. B.jsp belongs to WAR B.

what i am getting.

A.jsp with sessionid AAA --- redirects to---- B.jsp with sessionID BBB

What i want,

A.jsp with sessionid AAA --- redirects to --- B.jsp with sessionID AAA

Can the above be done?

If not, any ideas? the above is to faciltate the login of a member into my site.
Aim is that once he logs in, he won't have to login anymore regardless of where he goes in MY SITE.

Thanks for the replies, but more help is needed.

No, there is not such thing that session can be access cross web app ( or cross war/servlet context, they are all same thing).

The problem is that you are not using the standard J2EE security, otherwise you should be having such problem, use will only need to login once and you can get user credential in all web apps using request.getUserPrincipal() and request.isUserInRole(java.lang.String role) to get username and determine if user is in certain role.

java web security tutorial:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sorry it should read as:
otherwise you shouldn't be having such problem, with java web security, user is only required to loin once and ......
ErctheandaAuthor Commented:
Okie.. thanks Kenneth.

It is possible to use the J2EE security to authenticate users.

But is it possible to add users to a realm programmatically?

Meaning.. is there such a thing as

AddUser(String username, String pass, String Group)

in the API? if not.. I would have to manaully Key in the user' details into the server's database... That would mean.. everytime a person registers at my site, he would have to wait 2-3 days before an admin comes along to add his name into the server??

Please help once more... thanks
There is no standard API for user management. SUN leaves this to j2ee server vendor, so it is per server dependent. But this is doable for most servers. take tomcat as an example.

by default tomcat uses an xml file as user repository. but it can also be configured to use database tables to store user/group info. you can easily use JAXP or JDBC to manage your xml or database user repository programmacally.

tomcat also come with an admin app, which not only let you adminstrate user/group from a webapp, but also provide source code to show you how to do it programmatically.

Let me know if you have further enquires.
ErctheandaAuthor Commented:
Is there a docu or URL or guide to tell me how to get J2EE sever ( the one that comes with J2EE 1.3.1) to use a database table as a user repository?

thanks kenneth for the replies. you have been most helpful. but if i accept your answer now, i would have to close the question. Do bear with me for a while longer.

Thanks again.

I don't use j2ee reference implmentation (J2EE RI). It might possible to use database table as user repository but I don't know how.

the sun's j2ee RI includes a customized version of tomcat as its servlet container. unless you want to use ejb and web services. I would suggest to use tomcat directly. The RI was designed for easy to use. Good for leaning and testing, but not for advanced programming, and definately should not be deployed to a production server.

If you are planning something for production environment. Look into Tomcat, if you need ejb, try out JBoss.
ErctheandaAuthor Commented:
Many Thanks kenneth. I will look into it.
something just come to my mind.

If the user id is the only information you would like to sure accross the applications. You might want to consider to store a cookie in browser side, you can set the cookie to site level. This approach is not so secure because somebody can fake a cookie and gain access to your site. But it could be an easier solution if your site doesn't require strong security.
My pleasure and thanks for the A grade.
some additional information might help you if you would like to try Tomcat DBrealm:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.