?
Solved

Why isn't my JSP session working on some computers?

Posted on 2003-11-07
5
Medium Priority
?
535 Views
Last Modified: 2010-04-01
I've set up a members-only area on a website, and it seems 95% of my members use it just fine.  There are a few, however, who e-mail me to complain that they can login to the main member page, but cannot browse to any subsequent pages.  This sounds to me like exactly the problem somebody would have if they have cookies disabled, but they swear they have cookies enabled.  It seems the majority of these users are using Mac OS 9, but not all of them.  Could you take a look at my code and let me know if there's anything I'm doing wrong that might create this problem?  Here are the relevant bits of code I'm using:

ON THE LOGIN PAGE:

<%
// *** Validate request to log in to this site.
String MM_LoginAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) MM_LoginAction += "?" + request.getQueryString();
String MM_valUsername=request.getParameter("username");
if (MM_valUsername != null) {
  String MM_fldUserAuthorization="";
  String MM_redirectLoginSuccess="tos.jsp";
  String MM_redirectLoginFailed="sorry.jsp";
  String MM_redirectLogin=MM_redirectLoginFailed;
  Driver MM_driverUser = (Driver)Class.forName(MM_tba_DRIVER).newInstance();
  Connection MM_connUser = DriverManager.getConnection(MM_tba_STRING,MM_tba_USERNAME,MM_tba_PASSWORD);
  String MM_pSQL = "SELECT *";
  if (!MM_fldUserAuthorization.equals("")) MM_pSQL += "," + MM_fldUserAuthorization;
  MM_pSQL += " FROM tba_members WHERE username=\'" + MM_valUsername.replace('\'', ' ') + "\' AND password=\'" + request.getParameter("password").toString().replace('\'', ' ') + "\' AND exp_date > Now()";
  PreparedStatement MM_statementUser = MM_connUser.prepareStatement(MM_pSQL);
  ResultSet MM_rsUser = MM_statementUser.executeQuery();
  boolean MM_rsUser_isNotEmpty = MM_rsUser.next();
  if (MM_rsUser_isNotEmpty) {
    // username and password match - this is a valid user
    session.putValue("MM_Member_Username", MM_valUsername);
      session.putValue("membID", MM_rsUser.getObject("membID"));
      session.putValue("type", MM_rsUser.getObject("type"));
      session.setMaxInactiveInterval(216000);
    if ((request.getParameter("accessdenied") != null) && false) {
      MM_redirectLoginSuccess = request.getParameter("accessdenied");
    }
    if(Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 0){ MM_redirectLoginSuccess="tos_passchange.jsp";
    } else {
            if (Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 1){ MM_redirectLoginSuccess="membermain.jsp";}
      }
            MM_redirectLogin=MM_redirectLoginSuccess;
  }
  MM_rsUser.close();
  MM_connUser.close();
  response.sendRedirect(response.encodeRedirectURL(MM_redirectLogin));
  return;
}
%>

INCLUDED ON ALL MEMBER PAGES:

<%
// *** Restrict Access To Page: Grant or deny access to this page
String MM_authorizedUsers="";
String MM_authFailedURL="sorry.jsp";
boolean MM_grantAccess=false;
if (session.getValue("MM_Member_Username") != null && !session.getValue("MM_Member_Username").equals("")) {
  if (true || (session.getValue("MM_UserAuthorization")=="") ||
          (MM_authorizedUsers.indexOf((String)session.getValue("MM_UserAuthorization")) >=0)) {
    MM_grantAccess = true;
  }
}
if (!MM_grantAccess) {
  String MM_qsChar = "?";
  if (MM_authFailedURL.indexOf("?") >= 0) MM_qsChar = "&";
  String MM_referrer = request.getRequestURI();
  if (request.getQueryString() != null) MM_referrer = MM_referrer + "?" + request.getQueryString();
  MM_authFailedURL = MM_authFailedURL + MM_qsChar + "accessdenied=" + java.net.URLEncoder.encode(MM_referrer);
  response.sendRedirect(response.encodeRedirectURL(MM_authFailedURL));
  return;
}
%>

Alternatively, if you have any suggestions from your experience on ways to cope with this problem (I can't be the first!), I'd love to hear them.

Thanks,
Daniel
0
Comment
Question by:deolmstead
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 14

Expert Comment

by:kennethxu
ID: 9703320
you code looks fine to me exception there is something meaningless, like:
if (true || (session.getValue("MM_UserAuthorization")=="") || ....
which will always be true.

you are encoding all URLs so even if the browser doesn't support cookie, server will automatically us url rewrite for session tracking.

Are you using https? IE is known of having problem with https sessions. Can you let us know what exactly the error message user get when they click on the link and the link itself?
0
 

Author Comment

by:deolmstead
ID: 9705412
No, none of the area uses https - it's all just members-only info, no credit cards or personal information.

Users don't get an error message, they simply get redirected to the "sorry.jsp" page, as though their authentication failed.  So they login successfully, make it as far as the "welcome to the members area" page, but any link they click on from there comes up unauthorized.  It's like their session is getting reset somehow, though there's nothing on the welcome page to do that...and it wouldn't explain why it works for MOST of the population, and not these particular people.

That meaningless bit of code is puzzling.  It's the code Dreamweaver generates automatically, so I don't really know what it's supposed to accomplish.

Your help is appreciated.
Thanks,
Daniel
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9705800
I would suggest you to use standard j2ee security model:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

if you are using tomcat, also check out DBRealm:
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html?page=2 
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 400 total points
ID: 9705802
also, make sure the link on your welcome page are url encoded.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9787560
did you solved your problem?
please check out this:
http://www.experts-exchange.com/help/qnaFAQ.jsp#3
thanks.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question