This content has been marked as final. Show 3 replies
Apparently you're asking about Java EE web applications (you didn't post in any relevant forum so that's my guess).
After the user signs on successfully, create a session attribute which contains a User object (or a String containing the user ID, or whatever you need). And when the user signs off, remove that session attribute. Then on subsequent requests, you can just check to see if that attribute exists. If it does, then you know the user is signed on and you know who they are.
With this simple and straightforward design you don't need to mess with the isRequestedSessionIdValid method.
Your requirement is called single sign on which means you use a centralized authentication service so that the user does not need to log in to individual applications separately.1 person found this helpful
The "authenticated user returns" approach is opening a security hole and you should not go that way...
TPD Opitz-Consulting com wrote:He didn't seem to describe SSO, but simply regular session handling.
Your requirement is called single sign on