After the user is successfully signed in, during the page navigation, I can track if the user's session is still valid by using: request.isRequestedSessionIdValid(). After the user signed out, I can code to invalidate the user's session such as: session.invalidate();
Now, when the user first tries to sign in, I coded to check the user's username and password; if they match those stored in the database, the user's sign-in is successful. Right here, how can I associate this user to the specific session which the user has just signed in? so that later on, I can check request.isRequestedSessionIdValid.
I mean for a non-registered user, everytime the user accesses my website, the user automatically get a httpservletrequest, and session. Now for a registered user, I believe I need to associate a session (such as a session id or else) to the user.
Or what should be the right way to code it?
Thanks to help.
Apparently you're asking about Java EE web applications (you didn't post in any relevant forum so that's my guess).
After the user signs on successfully, create a session attribute which contains a User object (or a String containing the user ID, or whatever you need). And when the user signs off, remove that session attribute. Then on subsequent requests, you can just check to see if that attribute exists. If it does, then you know the user is signed on and you know who they are.
With this simple and straightforward design you don't need to mess with the isRequestedSessionIdValid method.
Your requirement is called single sign on which means you use a centralized authentication service so that the user does not need to log in to individual applications separately.
The "authenticated user returns" approach is opening a security hole and you should not go that way...