session

HTTP requests do not preserve state by themselves. The HTTP protocol provides a mechanism for returning a single response to s single request. J2EE provides a mechanism for tying individual requests together into a session with the apprriately named "Session" object. The mechanism it uses is a small id code usually called a JSessionID that exists in the URL or in a cookie which gets sent with every browser request.

When do Session end? When they "timeout". Remember that configuration item in the web.xml;

<session-config>

<session-timeout>20</session-timeout>

</session-config>

The J2EE container checks all of its Sessions and decides whether to remove them based on whether any requests have come in for a particular session for the designated time period(In this case: 20 minutes).

So I would guess a reasonably effective way to do this would be to call the method:

session.setMaxInactiveInterval(1);

This would tell it to timeout in 1 second.

Having said that... I have to admit I have never called this method myself. If I need to log someone out of a password protected area of a website, I just remove the session attribute token that tells me they are logged in.

john.m.pagea at 2007-7-8 23:39:59 >

Using the Session object is reasonably secure. However, there are other steps that need to be taken to ensure that security.

1.) The password needs to be sent over a secure https request.

2.) All subsequent requests need to go over secure https requests.

3.) Steps need to be taken to stop the browser from caching the pages

(For example: you could use javascript;window.location.replace() instead of ordinary URLs)

If the pages are cached, a user can hit the "Back" button and view old pages.

4.) Of course, the application has to check for the signed-in-token with every request.

(A good place to use a J2ee Filter that maps to "/*" all requests.)

john.m.pagea at 2007-7-8 23:39:59 >