Solved

Why isn't my JSP session working on some computers?

Posted on 2003-11-07
5
524 Views
Last Modified: 2010-04-01
I've set up a members-only area on a website, and it seems 95% of my members use it just fine.  There are a few, however, who e-mail me to complain that they can login to the main member page, but cannot browse to any subsequent pages.  This sounds to me like exactly the problem somebody would have if they have cookies disabled, but they swear they have cookies enabled.  It seems the majority of these users are using Mac OS 9, but not all of them.  Could you take a look at my code and let me know if there's anything I'm doing wrong that might create this problem?  Here are the relevant bits of code I'm using:

ON THE LOGIN PAGE:

<%
// *** Validate request to log in to this site.
String MM_LoginAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) MM_LoginAction += "?" + request.getQueryString();
String MM_valUsername=request.getParameter("username");
if (MM_valUsername != null) {
  String MM_fldUserAuthorization="";
  String MM_redirectLoginSuccess="tos.jsp";
  String MM_redirectLoginFailed="sorry.jsp";
  String MM_redirectLogin=MM_redirectLoginFailed;
  Driver MM_driverUser = (Driver)Class.forName(MM_tba_DRIVER).newInstance();
  Connection MM_connUser = DriverManager.getConnection(MM_tba_STRING,MM_tba_USERNAME,MM_tba_PASSWORD);
  String MM_pSQL = "SELECT *";
  if (!MM_fldUserAuthorization.equals("")) MM_pSQL += "," + MM_fldUserAuthorization;
  MM_pSQL += " FROM tba_members WHERE username=\'" + MM_valUsername.replace('\'', ' ') + "\' AND password=\'" + request.getParameter("password").toString().replace('\'', ' ') + "\' AND exp_date > Now()";
  PreparedStatement MM_statementUser = MM_connUser.prepareStatement(MM_pSQL);
  ResultSet MM_rsUser = MM_statementUser.executeQuery();
  boolean MM_rsUser_isNotEmpty = MM_rsUser.next();
  if (MM_rsUser_isNotEmpty) {
    // username and password match - this is a valid user
    session.putValue("MM_Member_Username", MM_valUsername);
      session.putValue("membID", MM_rsUser.getObject("membID"));
      session.putValue("type", MM_rsUser.getObject("type"));
      session.setMaxInactiveInterval(216000);
    if ((request.getParameter("accessdenied") != null) && false) {
      MM_redirectLoginSuccess = request.getParameter("accessdenied");
    }
    if(Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 0){ MM_redirectLoginSuccess="tos_passchange.jsp";
    } else {
            if (Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 1){ MM_redirectLoginSuccess="membermain.jsp";}
      }
            MM_redirectLogin=MM_redirectLoginSuccess;
  }
  MM_rsUser.close();
  MM_connUser.close();
  response.sendRedirect(response.encodeRedirectURL(MM_redirectLogin));
  return;
}
%>

INCLUDED ON ALL MEMBER PAGES:

<%
// *** Restrict Access To Page: Grant or deny access to this page
String MM_authorizedUsers="";
String MM_authFailedURL="sorry.jsp";
boolean MM_grantAccess=false;
if (session.getValue("MM_Member_Username") != null && !session.getValue("MM_Member_Username").equals("")) {
  if (true || (session.getValue("MM_UserAuthorization")=="") ||
          (MM_authorizedUsers.indexOf((String)session.getValue("MM_UserAuthorization")) >=0)) {
    MM_grantAccess = true;
  }
}
if (!MM_grantAccess) {
  String MM_qsChar = "?";
  if (MM_authFailedURL.indexOf("?") >= 0) MM_qsChar = "&";
  String MM_referrer = request.getRequestURI();
  if (request.getQueryString() != null) MM_referrer = MM_referrer + "?" + request.getQueryString();
  MM_authFailedURL = MM_authFailedURL + MM_qsChar + "accessdenied=" + java.net.URLEncoder.encode(MM_referrer);
  response.sendRedirect(response.encodeRedirectURL(MM_authFailedURL));
  return;
}
%>

Alternatively, if you have any suggestions from your experience on ways to cope with this problem (I can't be the first!), I'd love to hear them.

Thanks,
Daniel
0
Comment
Question by:deolmstead
  • 4
5 Comments
 
LVL 14

Expert Comment

by:kennethxu
ID: 9703320
you code looks fine to me exception there is something meaningless, like:
if (true || (session.getValue("MM_UserAuthorization")=="") || ....
which will always be true.

you are encoding all URLs so even if the browser doesn't support cookie, server will automatically us url rewrite for session tracking.

Are you using https? IE is known of having problem with https sessions. Can you let us know what exactly the error message user get when they click on the link and the link itself?
0
 

Author Comment

by:deolmstead
ID: 9705412
No, none of the area uses https - it's all just members-only info, no credit cards or personal information.

Users don't get an error message, they simply get redirected to the "sorry.jsp" page, as though their authentication failed.  So they login successfully, make it as far as the "welcome to the members area" page, but any link they click on from there comes up unauthorized.  It's like their session is getting reset somehow, though there's nothing on the welcome page to do that...and it wouldn't explain why it works for MOST of the population, and not these particular people.

That meaningless bit of code is puzzling.  It's the code Dreamweaver generates automatically, so I don't really know what it's supposed to accomplish.

Your help is appreciated.
Thanks,
Daniel
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9705800
I would suggest you to use standard j2ee security model:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

if you are using tomcat, also check out DBRealm:
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html?page=2 
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 200 total points
ID: 9705802
also, make sure the link on your welcome page are url encoded.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9787560
did you solved your problem?
please check out this:
http://www.experts-exchange.com/help/qnaFAQ.jsp#3
thanks.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
method inner class 6 82
best way to search/remove a file from an EAR file 3 106
Books that can get me started on JAVA 2 93
null output 3 24
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Binary Differential Replication, What it is, how it works and how it differs from standard delta file replication
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now