Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

re login  and  the page what you visited

Posted on 2005-04-08
16
Medium Priority
?
577 Views
Last Modified: 2010-05-18

suppose you got a session timeout  and u are forced to re login.
after re login how can you go back to the page  where you were earlier ?

0
Comment
Question by:cofactor
  • 8
  • 6
  • 2
16 Comments
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13739445
You could implement a Listener that listens for the finsihing of a session see here, http://www.unix.org.ua/orelly/java-ent/servlet/ch07_05.htm, specifically one that implements HttpSessionListener  and listens for sessionDestroyed(). You may need to implement somehting on your page or better yet a filter that puts the last known location into the session.

Once you have this then you can store the information in a database and redirect the user to the appropriate page when the next login.
0
 

Author Comment

by:cofactor
ID: 13742440
let me clarify more to my question.

actually  i want if the user goes idle for 30 mints then he need to re login and then he would be allowed to see the  page where he was.


0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13742881
That's what I answered using session destruction using JSP.

Session expiration is handled by the container, e.g. tomcat, and is typically 30 mins. This can be configured in the web.xml.

To know that a user's session has been destroyed you need to implement a listener as I speciifed above. When the users session expires, a value is written to to the database saying his location when his session expired. When he next logs in, he can be taken to the page he was last at by chcking the database for that location.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 7

Expert Comment

by:searlas
ID: 13745032
No need for a database or a session listener; this is pretty simple really.

1) Detect whether user is logged in, if not save request url in session and redirect to login page
2) After validating login, redirect to url from session.

In JSP I guess you'd have something like:
<%
  if (... not logged in...) {
    String uri = request.getRequestURI();
    // ... rememeber to append query string parameters if they're important to your app

    request.getSession().setAttribute("original URL session key", uri);
    response.sendRedirect("login.jsp");
  }
%>

Some useful (relevant) javadoc:
http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html#isNew()
http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpServletRequest.html#getRequestURI()
http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpServletResponse.html#sendRedirect(java.lang.String) 
0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13745255
searlas, your method works for a non-authenticated user requesting a protected page, being taken to a login page to login and then back to the original requested page. Unfortunately what it doesn't do is return a user to the last previously browsed page prior to their session being lost so that when they login back in, they are taken automatically to the last page they were browsing.

The method you have proposed is very good but utimately, I believe it could be more easily acheived with javascript, using either history.go(-1) or the document.referer property as is commonly done when sites take you to a mandatory Terms and Conditions page before setting a cookie for acceptance.
0
 

Author Comment

by:cofactor
ID: 13750407
few moore question  from ur comments......


>When the users session expires, a value is written to to the database saying his location when his session expired

what is that value i  should write into DB ?




i guess you mean to code like this....


dummy code
==========


public final class SessionHandler implements HttpSessionListener {
 
{


// blah blah



    public void sessionDestroyed(HttpSessionEvent event) {
     
 
 // WHAT  should i write here into DB ?
     
     
     
}

0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13755062
I would have a table in the db that has the username as the primary key and the page they last visited. So your code is:

 public void sessionDestroyed(HttpSessionEvent event) {
     
//get connection code, blah blah
Statement stmt = con.createStatement();
stmt.executeUpdate("insert into lastViewedPageTable '" + lastViewedPage + "' where Username = '"+ userName+"'");
}
 

then in login

public void login( String pUserName , String pPassword){
    //get connection code, blah blah
    //authenticate user
Statement stmt = con.createStatement();
    ResultSet rs = stmt.executeQuery("select lastViewedPage from lastViewedPageTable  where Username = '" +pUserName+"' ");
    while(rs.next){
         String lastViewedPage = rs.getString("lastViewedPage ");
    }
    RequestDispatcher rd = request.getRequestDispatcher(lastViewedPage  );
    rd.forward(request, response) ;

}

This code is full of holes but it will give you the right idea. You should be looking to use a datasource and preparedStatements also.
0
 
LVL 7

Expert Comment

by:searlas
ID: 13757663
bloodredsun,

I understand you're idea, but have you ever implemented it?  You seem to have skated over how you maintain the 'lastViewedPage' variable used in the sessionDestroyed variable.  Presumably this would have to be extracted from the session that's about to be destroyed, which means you have to have put it in there already.

So, are you saying that every servlet/JSP must updated the 'lastViewedPage' attribute in the users session just before they send the page out to the user?

As for using the referrer header, I think that would have problems whenever the servlet has internally forwarded from one servlet to another (or JSP to JSP.)  In this case, the browser wouldn't know the real URL of the page you are looking at... therefore using the referrer property would not allow you to identify which page the user was actually looking at before.

If you can describe a way of maintaining lastViewedPage that'd be great; otherwise I think the best option is to use the getRequestURI method to find out which page the user is trying to get to, not what they were already looking at.


0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13758042
>>I understand you're idea, but have you ever implemented it?  
Yes, I wrote a clickstream logging system that logged the entire journey of a user on the site, kind of like a mini webtrends. This was then written to a log file which could then be analysed and the ouput written into an Excel file.

>>So, are you saying that every servlet/JSP must updated the 'lastViewedPage' attribute in the users session just before they send the page out to the user?
Nope, you do that in a filter. I don't know whether you've used filters but they can be regarded as speciliased "servlets" that may do pre and post processing of the request and the response. That means that none of your pages have any of this code in, just the filter to add the session attribute and the listener for the session death, so you only need to write 2 classes. All in all, very simple with a clean design and nicely Aspect-Orientated too.

0
 

Author Comment

by:cofactor
ID: 13759361
bloodredsun

i see a flaw in your code.

in your code every time  user will be redirected to the lastViewed page as  soon as he LOGS IN.


but actually i dont want that .

i want  if the user get a SESSION TIMEOUT  then  he will be redirected to last visited page  OTHERWISE( means if he does fresh login)  he should browse normally as we normally  do.

0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13759796
Fine, set a a flag when you maually invalidate the session. This is looked for in the filter and sets the last viewed page in the db to the home page for example or the landing page.
0
 

Author Comment

by:cofactor
ID: 13759841
>Fine, set a a flag when you maually invalidate the session.

but i do it  in web.xml using session timeout flag ! and i  wont change it .


>This is looked for in the filter and sets the last viewed page in the db to the home page for example or the landing page.

ohh..no , not clear how you are going to implement  .  is my question clear ?
0
 
LVL 29

Expert Comment

by:bloodredsun
ID: 13759941
>>but i do it  in web.xml using session timeout flag ! and i  wont change it .
That is the session time-out variable and if you don't manually invalidate someone, how can you tell whether they were just timed-out or logged-out?

>>ohh..no , not clear how you are going to implement  .  is my question clear ?
In the sessionDestroyed method look for a flag that you set when you log someone out


public void sessionDestroyed(HttpSessionEvent event) {
//get session

//check session for flag, if flag is found exit if not log their last viewed page.
if ((boolean)session.getAttribute("flag")){
//do stuff
}
}
0
 

Author Comment

by:cofactor
ID: 13761360
>That is the session time-out variable and if you don't manually invalidate someone, how can you tell whether they were just timed-out or logged-ou.

so i need to use like this

web.xml
========
// blah
<session-config>
    <session-timeout>60</session-timeout>   // FOR THE WHOLE APPLICATION
  </session-config>


logout.jsp
==========
// blah
session.invalidate();

//and a flag for that user who is logging out


is that OK

thanks
0
 
LVL 29

Accepted Solution

by:
bloodredsun earned 140 total points
ID: 13767512
Yep,that's exactly it except it needs to be like this.

session.setAttribute("flag" , "true")
session.invalidate();

which means that when a session is destroyed, the flag is actually in the session
0
 

Author Comment

by:cofactor
ID: 13769615
ok, thanks . i have got my full answer. thank you.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my humble opinion (IMHO), TouchDown from Symantec is the best in class for this type of application, but Symantec has end-of-lifed it and although one can keep using it, it will no longer be supported or upgraded.  Time to look for alternatives t…
Why WooCommerce is one of the majorly favored choices when it comes to having an eCommerce store. This article will acquaint you with some reasons that I believe make it one of the best eCommerce platforms available.
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question