You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Taavi Tiirik <ta...@ibs.ee> on 2001/08/26 15:49:19 UTC
how to check if user is authenticated
I am doing form based login using JDBCRealm and for logging out
I call request.getSession().invalidate().
The problem is that after invalidation (duering the very same
request) I can still use request.getRemoteUser() and it returns
user name just like before calling session.invalidate().
What would be the proper way of asking if the user is logged
in or not? I cannot set any session attributes duering login
process since I am using tomcat's built in JDBCRealm
authentication.
Oh and I am using latest nightly build of Tomcat 4.0.
Thank you so much for your time
with best wishes,
Taavi
Re: how to check if user is authenticated
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Sun, 26 Aug 2001, Taavi Tiirik wrote:
> Date: Sun, 26 Aug 2001 15:49:19 +0200
> From: Taavi Tiirik <ta...@ibs.ee>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: how to check if user is authenticated
>
>
> I am doing form based login using JDBCRealm and for logging out
> I call request.getSession().invalidate().
>
By the way, this works only if you are using form-based login -- for BASIC
login you have to ask your user to log out.
> The problem is that after invalidation (duering the very same
> request) I can still use request.getRemoteUser() and it returns
> user name just like before calling session.invalidate().
>
That is because the authentication decision for *this* request was made at
the beginning of the request, and lasts for the entire length of that
request -- no matter what else happens.
> What would be the proper way of asking if the user is logged
> in or not? I cannot set any session attributes duering login
> process since I am using tomcat's built in JDBCRealm
> authentication.
The simplest thing would be to use an HttpSessionListener (a new listener
API added in servlet 2.3). Such listeners are notified when a new session
is created (even if it's done by Tomcat) and destroyed.
>
> Oh and I am using latest nightly build of Tomcat 4.0.
>
> Thank you so much for your time
>
> with best wishes,
> Taavi
>
>
>
>
Craig McClanahan