«

Hi,
I am creating a website, which will have multiple users. Security
with JSP is quite new to me. I want to make it possible for users to
log in and then browse their information as they wish. In order to
make sure that they don't have to constantly confirm their password,
would I just use a cookie to hold their id and password for the
duration of their session?
Cheers,
Dave

"Dj Frenzy" <> wrote in message
news: m...
> Hi,
> I am creating a website, which will have multiple users. Security
> with JSP is quite new to me. I want to make it possible for users to
> log in and then browse their information as they wish. In order to
> make sure that they don't have to constantly confirm their password,
> would I just use a cookie to hold their id and password for the
> duration of their session?
> Cheers,
> Dave

A session variable would be better. What if a user disables cookies?
(Answer: Then his/her session would be lost too, but you can get around
that.) Use session.setAttribute and session.getAttribute.

On 2004-03-06, Ryan Stewart <> wrote:
>
> A session variable would be better. What if a user disables cookies?
> (Answer: Then his/her session would be lost too, but you can get around
> that.) Use session.setAttribute and session.getAttribute.
>

I know that JSP provides authentication for you. Why not use
that? Then its the JSP container's responsibility to track the user
ID. I've experimented a little with custom login pages and HTTP Basic
authentication in JSP, setting up a restricted area of the site in the
WEB-INF/web.xml file. I also know that you can ask if the logged in
user is in a given role. I know more about old Apache authentication
than JSP specific, but would expect that current user ID is available
from the system.

I'll be looking at implementing some JSP helper apps to help me
be secretary of my local panto group, keeping track of things like
upcoming events and automailing myself or other members as appropriate.
Using Swing would be not be as educational as using JSP. I'll be logging
the user ID with records that the user creates, also using role based
authentication.

- Richard

--
_/_/_/ _/_/_/ _/_/_/ Richard dot Corfield at ntlworld dot com
_/ _/ _/ _/
_/_/ _/ _/ Time is a one way street,
_/ _/ _/_/ _/_/_/ Except in the Twilight Zone.

"Richard Corfield" <> wrote in message
news: dale.dyndns.org...
> On 2004-03-06, Ryan Stewart <> wrote:
> >
> > A session variable would be better. What if a user disables cookies?
> > (Answer: Then his/her session would be lost too, but you can get around
> > that.) Use session.setAttribute and session.getAttribute.
> >
>
> I know that JSP provides authentication for you. Why not use
> that? Then its the JSP container's responsibility to track the user
> ID. I've experimented a little with custom login pages and HTTP Basic
> authentication in JSP, setting up a restricted area of the site in the
> WEB-INF/web.xml file. I also know that you can ask if the logged in
> user is in a given role. I know more about old Apache authentication
> than JSP specific, but would expect that current user ID is available
> from the system.
>
> I'll be looking at implementing some JSP helper apps to help me
> be secretary of my local panto group, keeping track of things like
> upcoming events and automailing myself or other members as appropriate.
> Using Swing would be not be as educational as using JSP. I'll be logging
> the user ID with records that the user creates, also using role based
> authentication.
>
> - Richard

I haven't heard of JSP providing authentication. How is that supposed to
work?

Ryan Stewart wrote:
<snip>
> I haven't heard of JSP providing authentication. How is that supposed to
> work?

You might want to check this out:
<http://java.sun.com/developer/technicalArticles/javaserverpages/servlets_jsp/>

"Sudsy" <> wrote in message
news:...
> Ryan Stewart wrote:
> <snip>
> > I haven't heard of JSP providing authentication. How is that supposed to
> > work?
>
> You might want to check this out:
>
<http://java.sun.com/developer/techni...es/servlets_js
p/>
>
Okay, I've skimmed over it. Where is there something about JSP providing
user authentication?

Ryan Stewart wrote:

> "Sudsy" <> wrote in message
> news:...
>> Ryan Stewart wrote:
>> <snip>
>> > I haven't heard of JSP providing authentication. How is that supposed
>> > to work?
>>
>> You might want to check this out:
>>
>
<http://java.sun.com/developer/techni...es/servlets_js
> p/>
>>
> Okay, I've skimmed over it. Where is there something about JSP providing
> user authentication?

Not JSP per se, but a servlet container is required to provide container
managed authentication.
Look at the J2EE tutorial to see the different ways this can be done.

--
Kind regards,
Christophe Vanfleteren