• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

Why isn't my JSP session working on some computers?

I've set up a members-only area on a website, and it seems 95% of my members use it just fine.  There are a few, however, who e-mail me to complain that they can login to the main member page, but cannot browse to any subsequent pages.  This sounds to me like exactly the problem somebody would have if they have cookies disabled, but they swear they have cookies enabled.  It seems the majority of these users are using Mac OS 9, but not all of them.  Could you take a look at my code and let me know if there's anything I'm doing wrong that might create this problem?  Here are the relevant bits of code I'm using:

ON THE LOGIN PAGE:

<%
// *** Validate request to log in to this site.
String MM_LoginAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) MM_LoginAction += "?" + request.getQueryString();
String MM_valUsername=request.getParameter("username");
if (MM_valUsername != null) {
  String MM_fldUserAuthorization="";
  String MM_redirectLoginSuccess="tos.jsp";
  String MM_redirectLoginFailed="sorry.jsp";
  String MM_redirectLogin=MM_redirectLoginFailed;
  Driver MM_driverUser = (Driver)Class.forName(MM_tba_DRIVER).newInstance();
  Connection MM_connUser = DriverManager.getConnection(MM_tba_STRING,MM_tba_USERNAME,MM_tba_PASSWORD);
  String MM_pSQL = "SELECT *";
  if (!MM_fldUserAuthorization.equals("")) MM_pSQL += "," + MM_fldUserAuthorization;
  MM_pSQL += " FROM tba_members WHERE username=\'" + MM_valUsername.replace('\'', ' ') + "\' AND password=\'" + request.getParameter("password").toString().replace('\'', ' ') + "\' AND exp_date > Now()";
  PreparedStatement MM_statementUser = MM_connUser.prepareStatement(MM_pSQL);
  ResultSet MM_rsUser = MM_statementUser.executeQuery();
  boolean MM_rsUser_isNotEmpty = MM_rsUser.next();
  if (MM_rsUser_isNotEmpty) {
    // username and password match - this is a valid user
    session.putValue("MM_Member_Username", MM_valUsername);
      session.putValue("membID", MM_rsUser.getObject("membID"));
      session.putValue("type", MM_rsUser.getObject("type"));
      session.setMaxInactiveInterval(216000);
    if ((request.getParameter("accessdenied") != null) && false) {
      MM_redirectLoginSuccess = request.getParameter("accessdenied");
    }
    if(Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 0){ MM_redirectLoginSuccess="tos_passchange.jsp";
    } else {
            if (Integer.parseInt(MM_rsUser.getObject("tos_flag").toString()) == 1 && Integer.parseInt(MM_rsUser.getObject("passflag").toString()) == 1){ MM_redirectLoginSuccess="membermain.jsp";}
      }
            MM_redirectLogin=MM_redirectLoginSuccess;
  }
  MM_rsUser.close();
  MM_connUser.close();
  response.sendRedirect(response.encodeRedirectURL(MM_redirectLogin));
  return;
}
%>

INCLUDED ON ALL MEMBER PAGES:

<%
// *** Restrict Access To Page: Grant or deny access to this page
String MM_authorizedUsers="";
String MM_authFailedURL="sorry.jsp";
boolean MM_grantAccess=false;
if (session.getValue("MM_Member_Username") != null && !session.getValue("MM_Member_Username").equals("")) {
  if (true || (session.getValue("MM_UserAuthorization")=="") ||
          (MM_authorizedUsers.indexOf((String)session.getValue("MM_UserAuthorization")) >=0)) {
    MM_grantAccess = true;
  }
}
if (!MM_grantAccess) {
  String MM_qsChar = "?";
  if (MM_authFailedURL.indexOf("?") >= 0) MM_qsChar = "&";
  String MM_referrer = request.getRequestURI();
  if (request.getQueryString() != null) MM_referrer = MM_referrer + "?" + request.getQueryString();
  MM_authFailedURL = MM_authFailedURL + MM_qsChar + "accessdenied=" + java.net.URLEncoder.encode(MM_referrer);
  response.sendRedirect(response.encodeRedirectURL(MM_authFailedURL));
  return;
}
%>

Alternatively, if you have any suggestions from your experience on ways to cope with this problem (I can't be the first!), I'd love to hear them.

Thanks,
Daniel
0
deolmstead
Asked:
deolmstead
  • 4
1 Solution
 
kennethxuCommented:
you code looks fine to me exception there is something meaningless, like:
if (true || (session.getValue("MM_UserAuthorization")=="") || ....
which will always be true.

you are encoding all URLs so even if the browser doesn't support cookie, server will automatically us url rewrite for session tracking.

Are you using https? IE is known of having problem with https sessions. Can you let us know what exactly the error message user get when they click on the link and the link itself?
0
 
deolmsteadAuthor Commented:
No, none of the area uses https - it's all just members-only info, no credit cards or personal information.

Users don't get an error message, they simply get redirected to the "sorry.jsp" page, as though their authentication failed.  So they login successfully, make it as far as the "welcome to the members area" page, but any link they click on from there comes up unauthorized.  It's like their session is getting reset somehow, though there's nothing on the welcome page to do that...and it wouldn't explain why it works for MOST of the population, and not these particular people.

That meaningless bit of code is puzzling.  It's the code Dreamweaver generates automatically, so I don't really know what it's supposed to accomplish.

Your help is appreciated.
Thanks,
Daniel
0
 
kennethxuCommented:
I would suggest you to use standard j2ee security model:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

if you are using tomcat, also check out DBRealm:
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html?page=2 
0
 
kennethxuCommented:
also, make sure the link on your welcome page are url encoded.
0
 
kennethxuCommented:
did you solved your problem?
please check out this:
http://www.experts-exchange.com/help/qnaFAQ.jsp#3
thanks.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now