Solved

Why isn't my JSP session working on some computers?

Posted on 2003-11-07
5
516 Views
Last Modified: 2010-04-01
I've set up a members-only area on a website, and it seems 95% of my members use it just fine.  There are a few, however, who e-mail me to complain that they can login to the main member page, but cannot browse to any subsequent pages.  This sounds to me like exactly the problem somebody would have if they have cookies disabled, but they swear they have cookies enabled.  It seems the majority of these users are using Mac OS 9, but not all of them.  Could you take a look at my code and let me know if there's anything I'm doing wrong that might create this problem?  Here are the relevant bits of code I'm using:

ON THE LOGIN PAGE:

<%
// *** Validate request to log in to this site.
String MM_LoginAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) MM_LoginAction += "?" + request.getQueryString();
String MM_valUsername=request.getParameter("username");
if (MM_valUsername != null) {
  String MM_fldUserAuthorization="";
  String MM_redirectLoginSuccess="tos.jsp";
  String MM_redirectLoginFailed="sorry.jsp";
  String MM_redirectLogin=MM_redirectLoginFailed;
  Driver MM_driverUser = (Driver)Class.forName(MM_tba_DRIVER).newInstance();
  Connection MM_connUser = DriverManager.getConnection(MM_tba_STRING,MM_tba_USERNAME,MM_tba_PASSWORD);
  String MM_pSQL = "SELECT *";
  if (!MM_fldUserAuthorization.equals("")) MM_pSQL += "," + MM_fldUserAuthorization;
  MM_pSQL += " FROM tba_members WHERE username=\'" + MM_valUsername.replace('\'', ' ') + "\' AND password=\'" + request.getParameter("password").toString().replace('\'', ' ') + "\' AND exp_date > Now()";
  PreparedStatement MM_statementUser = MM_connUser.prepareStatement(MM_pSQL);
  ResultSet MM_rsUser = MM_statementUser.executeQuery();
  boolean MM_rsUser_isNotEmpty = MM_rsUser.next();
  if (MM_rsUser_isNotEmpty) {
    // username and password match - this is a valid user
    session.putValue("MM_Member_Username", MM_valUsername);
      session.putValue("membID", MM_rsUser.getObject("membID"));
      session.putValue("type", MM_rsUser.getObject("type"));
      session.setMaxInactiveInterval(216000);
    if ((request.getParameter("accessdenied") != null) && false) {
      MM_redirectLoginSuccess = request.getParameter("accessdenied");
    }
    if(Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 0){ MM_redirectLoginSuccess="tos_passchange.jsp";
    } else {
            if (Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 1){ MM_redirectLoginSuccess="membermain.jsp";}
      }
            MM_redirectLogin=MM_redirectLoginSuccess;
  }
  MM_rsUser.close();
  MM_connUser.close();
  response.sendRedirect(response.encodeRedirectURL(MM_redirectLogin));
  return;
}
%>

INCLUDED ON ALL MEMBER PAGES:

<%
// *** Restrict Access To Page: Grant or deny access to this page
String MM_authorizedUsers="";
String MM_authFailedURL="sorry.jsp";
boolean MM_grantAccess=false;
if (session.getValue("MM_Member_Username") != null && !session.getValue("MM_Member_Username").equals("")) {
  if (true || (session.getValue("MM_UserAuthorization")=="") ||
          (MM_authorizedUsers.indexOf((String)session.getValue("MM_UserAuthorization")) >=0)) {
    MM_grantAccess = true;
  }
}
if (!MM_grantAccess) {
  String MM_qsChar = "?";
  if (MM_authFailedURL.indexOf("?") >= 0) MM_qsChar = "&";
  String MM_referrer = request.getRequestURI();
  if (request.getQueryString() != null) MM_referrer = MM_referrer + "?" + request.getQueryString();
  MM_authFailedURL = MM_authFailedURL + MM_qsChar + "accessdenied=" + java.net.URLEncoder.encode(MM_referrer);
  response.sendRedirect(response.encodeRedirectURL(MM_authFailedURL));
  return;
}
%>

Alternatively, if you have any suggestions from your experience on ways to cope with this problem (I can't be the first!), I'd love to hear them.

Thanks,
Daniel
0
Comment
Question by:deolmstead
  • 4
5 Comments
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
you code looks fine to me exception there is something meaningless, like:
if (true || (session.getValue("MM_UserAuthorization")=="") || ....
which will always be true.

you are encoding all URLs so even if the browser doesn't support cookie, server will automatically us url rewrite for session tracking.

Are you using https? IE is known of having problem with https sessions. Can you let us know what exactly the error message user get when they click on the link and the link itself?
0
 

Author Comment

by:deolmstead
Comment Utility
No, none of the area uses https - it's all just members-only info, no credit cards or personal information.

Users don't get an error message, they simply get redirected to the "sorry.jsp" page, as though their authentication failed.  So they login successfully, make it as far as the "welcome to the members area" page, but any link they click on from there comes up unauthorized.  It's like their session is getting reset somehow, though there's nothing on the welcome page to do that...and it wouldn't explain why it works for MOST of the population, and not these particular people.

That meaningless bit of code is puzzling.  It's the code Dreamweaver generates automatically, so I don't really know what it's supposed to accomplish.

Your help is appreciated.
Thanks,
Daniel
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
I would suggest you to use standard j2ee security model:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

if you are using tomcat, also check out DBRealm:
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html?page=2
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 200 total points
Comment Utility
also, make sure the link on your welcome page are url encoded.
0
 
LVL 14

Expert Comment

by:kennethxu
Comment Utility
did you solved your problem?
please check out this:
http://www.experts-exchange.com/help/qnaFAQ.jsp#3
thanks.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Mockito Method call failing. 3 169
attribute vs parameter and setter vs add method 17 82
console vs log file 16 74
equalIsNot  challenge 43 114
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now