From: Greg M. <gmc...@gm...> - 2005-03-26 19:54:30
|
Yo folks, Okay, I wrote a simple authorization/authentication scheme with Webware that relied mostly on session variables to pass certain bits of user info around. I was aware of a few security issues with my scheme, but I considered them minor and I wasn't concerned about them at this point in development. I did have *one* requirement, though, which was that my scheme be at least robust enough to detect session timout/session cookie deletion. My question is, how is this done? request.isSessionExpired() doesn't seem to be working the magic I would have expected it to work. Well, I figured I'd simply made some not-Webware-best-practices-aware error, so I went to the Examples and pulled the login examples from there. Those, it appears, do not do what I want them to do either. If I delete the session cookie, no dice, just one big error page telling me that the maximum recursion depth has been exceeded. I need to detect if the session cookie is present or not, *before* the rest of a page executes. Right now my protected pages are inheriting from an AuthFrame class which uses the awake method to handle this stuff. I have caching turned off. I know I'm not providing any code here, for the sake of brevity, but if anyone can give me some hope, it would be very much appreciated. All the best, Greg |
From: Greg M. <gmc...@gm...> - 2005-03-28 17:18:52
|
Yo folks, Okay, I wrote a simple authorization/authentication scheme with Webware that relied mostly on session variables to pass certain bits of user info around. I was aware of a few security issues with my scheme, but I considered them minor and I wasn't concerned about them at this point in development. I did have *one* requirement, though, which was that my scheme be at least robust enough to detect session timout/session cookie deletion. My question is, how is this done? request.isSessionExpired() doesn't seem to be working the magic I would have expected it to work. Well, I figured I'd simply made some not-Webware-best-practices-aware error, so I went to the Examples and pulled the login examples from there. Those, it appears, do not do what I want them to do either. If I delete the session cookie, no dice, just one big error page telling me that the maximum recursion depth has been exceeded. I need to detect if the session cookie is present or not, *before* the rest of a page executes. Right now my protected pages are inheriting from an AuthFrame class which uses the awake method to handle this stuff. I have caching turned off. I know I'm not providing any code here, for the sake of brevity, but if anyone can give me some hope, it would be very much appreciated. All the best, Greg |