Okay, I wrote a simple authorization/authentication scheme with
Webware that relied mostly on session variables to pass certain bits
of user info around. I was aware of a few security issues with my
scheme, but I considered them minor and I wasn't concerned about them
at this point in development. I did have *one* requirement, though,
which was that my scheme be at least robust enough to detect session
timout/session cookie deletion.
My question is, how is this done?
request.isSessionExpired() doesn't seem to be working the magic I
would have expected it to work.
Well, I figured I'd simply made some not-Webware-best-practices-aware
error, so I went to the Examples and pulled the login examples from
there. Those, it appears, do not do what I want them to do either. If
I delete the session cookie, no dice, just one big error page telling
me that the maximum recursion depth has been exceeded.
I need to detect if the session cookie is present or not, *before* the
rest of a page executes. Right now my protected pages are inheriting
from an AuthFrame class which uses the awake method to handle this
stuff. I have caching turned off.
I know I'm not providing any code here, for the sake of brevity, but
if anyone can give me some hope, it would be very much appreciated.
All the best,