You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Zsolt Süli <wi...@zszso.hu> on 2007/09/10 18:34:44 UTC
stay logged in/session expiration time
Hi!
I'd like to write a signIn page, that let me STAY LOGGED IN (/always
signed in/etc.). This way the session won't be closed when I close the
browser. The only way to invalidate the session is to log out (or many
days have to pass). I think I should use session cookies, and I should
set the expiration time somehow. And that's the question ... how?
Thx in advance,
ZsZso
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: stay logged in/session expiration time
Posted by ig...@gmail.com.
learn something new every day :)
-igor
On 9/11/07, Erik van Oosten <e....@chello.nl> wrote:
>
> Not entirely true, you can call setMaxInactiveInterval on the Http session.
>
> http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int)
>
> There is a Wicket trick to get hold of the HTTP session. You can search for
> it in the mailing list or on the wiki.
>
> Regards.
> Erik.
>
>
>
> igor.vaynberg wrote:
> >
> > webapps arent really designed to do this, you will have to write the
> > appropriate hooks for your servlet container. eg your own sessionmanager
> > for
> > tomcat, etc.
> >
> > -igor
> >
> >
> > On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
> >>
> >> Yeah, but I want to change dynamically. Say Joe wants to stay logged in,
> >> so he set the STAY LOGGED IN checkbox on, but Lilly doesn't like these
> >> things, so she just let it go, and the checkbox stays off. So web.xml is
> >> a good solution, and thanks for that. My mistake, I wasn't too precise
> >> at my last letter. Maybe the more accurate question sounds like this:
> >> how can I change the sessions expiration time during runtime?
> >
>
> --
> Erik van Oosten
> http://2008.rubyenrails.nl/
> http://www.day-to-day-stuff.blogspot.com/
> --
> View this message in context:
> http://www.nabble.com/stay-logged-in-session-expiration-time-tf4416611.html#a12609918
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: stay logged in/session expiration time
Posted by Erik van Oosten <e....@chello.nl>.
Not entirely true, you can call setMaxInactiveInterval on the Http session.
http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int)
There is a Wicket trick to get hold of the HTTP session. You can search for
it in the mailing list or on the wiki.
Regards.
Erik.
igor.vaynberg wrote:
>
> webapps arent really designed to do this, you will have to write the
> appropriate hooks for your servlet container. eg your own sessionmanager
> for
> tomcat, etc.
>
> -igor
>
>
> On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
>>
>> Yeah, but I want to change dynamically. Say Joe wants to stay logged in,
>> so he set the STAY LOGGED IN checkbox on, but Lilly doesn't like these
>> things, so she just let it go, and the checkbox stays off. So web.xml is
>> a good solution, and thanks for that. My mistake, I wasn't too precise
>> at my last letter. Maybe the more accurate question sounds like this:
>> how can I change the sessions expiration time during runtime?
>
--
Erik van Oosten
http://2008.rubyenrails.nl/
http://www.day-to-day-stuff.blogspot.com/
--
View this message in context: http://www.nabble.com/stay-logged-in-session-expiration-time-tf4416611.html#a12609918
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: stay logged in/session expiration time
Posted by Igor Vaynberg <ig...@gmail.com>.
webapps arent really designed to do this, you will have to write the
appropriate hooks for your servlet container. eg your own sessionmanager for
tomcat, etc.
-igor
On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
>
> Yeah, but I want to change dynamically. Say Joe wants to stay logged in,
> so he set the STAY LOGGED IN checkbox on, but Lilly doesn't like these
> things, so she just let it go, and the checkbox stays off. So web.xml is
> a good solution, and thanks for that. My mistake, I wasn't too precise
> at my last letter. Maybe the more accurate question sounds like this:
> how can I change the sessions expiration time during runtime?
>
> ZsZso
>
> Igor Vaynberg wrote:
> > in web.xml
> >
> > -igor
> >
> >
> > On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
> >
> >> Hi!
> >>
> >> I'd like to write a signIn page, that let me STAY LOGGED IN (/always
> >> signed in/etc.). This way the session won't be closed when I close the
> >> browser. The only way to invalidate the session is to log out (or many
> >> days have to pass). I think I should use session cookies, and I should
> >> set the expiration time somehow. And that's the question ... how?
> >>
> >> Thx in advance,
> >> ZsZso
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >> For additional commands, e-mail: users-help@wicket.apache.org
> >>
> >>
> >>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: stay logged in/session expiration time
Posted by Zsolt Süli <wi...@zszso.hu>.
Yeah, but I want to change dynamically. Say Joe wants to stay logged in,
so he set the STAY LOGGED IN checkbox on, but Lilly doesn't like these
things, so she just let it go, and the checkbox stays off. So web.xml is
a good solution, and thanks for that. My mistake, I wasn't too precise
at my last letter. Maybe the more accurate question sounds like this:
how can I change the sessions expiration time during runtime?
ZsZso
Igor Vaynberg wrote:
> in web.xml
>
> -igor
>
>
> On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
>
>> Hi!
>>
>> I'd like to write a signIn page, that let me STAY LOGGED IN (/always
>> signed in/etc.). This way the session won't be closed when I close the
>> browser. The only way to invalidate the session is to log out (or many
>> days have to pass). I think I should use session cookies, and I should
>> set the expiration time somehow. And that's the question ... how?
>>
>> Thx in advance,
>> ZsZso
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: stay logged in/session expiration time
Posted by Igor Vaynberg <ig...@gmail.com>.
in web.xml
-igor
On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
>
> Hi!
>
> I'd like to write a signIn page, that let me STAY LOGGED IN (/always
> signed in/etc.). This way the session won't be closed when I close the
> browser. The only way to invalidate the session is to log out (or many
> days have to pass). I think I should use session cookies, and I should
> set the expiration time somehow. And that's the question ... how?
>
> Thx in advance,
> ZsZso
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: stay logged in/session expiration time
Posted by Johan Compagner <jc...@gmail.com>.
you can also look if you can do something with this:
http://java.sun.com/products/servlet/2.1/api/javax.servlet.http.HttpSession.html#setMaxInactiveInterval(int)
the only thing is that the servlet container should then use disk based
cookies (instead of in mem/session cookies)
then you won't loose anything and even after close of a browser and open it
again
you will have the exact same state.
johan
On 9/10/07, Zsolt Süli <wi...@zszso.hu> wrote:
>
> Hi!
>
> I'd like to write a signIn page, that let me STAY LOGGED IN (/always
> signed in/etc.). This way the session won't be closed when I close the
> browser. The only way to invalidate the session is to log out (or many
> days have to pass). I think I should use session cookies, and I should
> set the expiration time somehow. And that's the question ... how?
>
> Thx in advance,
> ZsZso
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: stay logged in/session expiration time
Posted by Zsolt Süli <wi...@zszso.hu>.
Thank you John, that's exactly what I was looking for!
John Ray wrote:
> I think what you are looking for are the following steps
>
> 1) When a user first comes to the site check if they have a cookie from a
> prior visit and automatically log them in.
> 2) If they don't have a cookie then redirect them to the login page
> 3) As they log in set a cookie on their browser so the next time they visit
> they will be automatically logged in during step 1 above. The cookie will
> need to contain the the user name and password to authenticate them. It
> would probably be best for added security to do a one way hash (such as SHA)
> on the password though and not store the actually password in the cookie.
>
> To do steps 1 and 2 you need your own AuthorizationStrategy for your
> application. Look at the wicket example to do this
>
> http://wicketstuff.org/wicket13/signin/
>
> Don't forget there is a link to view the source code in the top right of the
> page. You need to modify the AuthorizationStrategy to something like this
>
> public class MyAuthorizationStrategy implements IAuthorizationStrategy {
>
> public boolean isInstantiationAuthorized(Class componentClass) {
> if (AuthenticatedWebPage.class.isAssignableFrom(componentClass)) {
> // Is user signed in?
> if (((SignInSession)Session.get()).isSignedIn()) {
> // okay to proceed
> return true;
> }
>
> // Look at cookies to determine if the user should be logged in
> automatically
> Cookie[] cookies = ((WebRequest)
> RequestCycle.get().getRequest()).getCookies();
> ... iterate through each cookie for our magic login cookie
> ... If a cookie is found then log the user in
>
> // Redirect user to login page if there was no cookie
> throw new RestartResponseAtInterceptPageException(SignIn.class);
> }
>
> ...
> }
>
> For step 3 you'll need to modify the onSubmit() method in the login page so
> that it sets a cookie on the browser when the user is logged in.
>
> Cookie loginCookie = new Cookie(...);
> ... Also set the cookie MaxAge so that the browser will remeber it even if
> the browser is closed
> getWebRequestCycle().getWebResponse().addCookie(loginCookie);
>
> The Cookies are just standard J2EE cookies from the servlet API so look at
> the J2EE docs for more info on them.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: stay logged in/session expiration time
Posted by John Ray <jo...@newonic.com>.
I think what you are looking for are the following steps
1) When a user first comes to the site check if they have a cookie from a
prior visit and automatically log them in.
2) If they don't have a cookie then redirect them to the login page
3) As they log in set a cookie on their browser so the next time they visit
they will be automatically logged in during step 1 above. The cookie will
need to contain the the user name and password to authenticate them. It
would probably be best for added security to do a one way hash (such as SHA)
on the password though and not store the actually password in the cookie.
To do steps 1 and 2 you need your own AuthorizationStrategy for your
application. Look at the wicket example to do this
http://wicketstuff.org/wicket13/signin/
Don't forget there is a link to view the source code in the top right of the
page. You need to modify the AuthorizationStrategy to something like this
public class MyAuthorizationStrategy implements IAuthorizationStrategy {
public boolean isInstantiationAuthorized(Class componentClass) {
if (AuthenticatedWebPage.class.isAssignableFrom(componentClass)) {
// Is user signed in?
if (((SignInSession)Session.get()).isSignedIn()) {
// okay to proceed
return true;
}
// Look at cookies to determine if the user should be logged in
automatically
Cookie[] cookies = ((WebRequest)
RequestCycle.get().getRequest()).getCookies();
... iterate through each cookie for our magic login cookie
... If a cookie is found then log the user in
// Redirect user to login page if there was no cookie
throw new RestartResponseAtInterceptPageException(SignIn.class);
}
...
}
For step 3 you'll need to modify the onSubmit() method in the login page so
that it sets a cookie on the browser when the user is logged in.
Cookie loginCookie = new Cookie(...);
... Also set the cookie MaxAge so that the browser will remeber it even if
the browser is closed
getWebRequestCycle().getWebResponse().addCookie(loginCookie);
The Cookies are just standard J2EE cookies from the servlet API so look at
the J2EE docs for more info on them.
--
View this message in context: http://www.nabble.com/stay-logged-in-session-expiration-time-tf4416611.html#a12600257
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org