Manage session explicitly in Java servlet to secure web application

Question

I am developing a secure web application. I have to develop a servlet to custom control its access.

For example, I have home.jsp wide open, a content.jsp which depends on URL pattern.

If it's GET content.jsp, it should be wide open to display the list of content. If it's content.jsp?chapter=1&detail=true, it should check if the user is logged on or not, only if the user has proper access, then it will grant the permission, otherwise, redirect it to logon page.

I am confused with JSESSIONID management in Java. By default any JSP will automatically create a session if there is no one. I understand I can use @page session="false" to overwrite its default behavior.

So, I guess the logics will be like this

1. If the user (not logged on yet) GET home.jsp, I should not create any session in servlet. But JSP should create one. I found in HTTP request header, it has JSESSIONID value sent over. However, how come on the server side, I won't get any session back via httpServletRequest.getSession(false)?

2. If the user wants to GET content.jsp?chapter=1&detail=true, I will redirect it to logon.jsp. After logon form is submitted, should I create a new session on the server side (before return) using httpServletRequest.getSession(true)? Will any following JSP page access create a new session?

3. When user logs out, I have to call session.invalidate() to invalidate it. However, will any following JSP page will create a new session id?

I am just confused by

 When should I call getSession(true) and getSession(false)? I assume per user session, I should call getSession(true) once.
 Which session id should I use (trust) to identify if the user is truly logged on? 

Thanks.

Answer 1

Session and access control don't have much in common. An unauthenticated user may have a session. It can be useful just to store preferences, for example.

Once authenticated, you can keep the same session, but store the identity of the user and its authorizations in the session. You should just see the session as a place where you can store attributes for a given user, that will last for the duration of its session with your webapp.

To resume, the presence of a session doesn't mean a user is authenticated. The presence of some "authenticated" flag, or some identity in the session, that your authentication mechanism stores in the session, is what you must check to know if a user is authenticated.

Answer 2

This works fine

home.jsp

session = request.getSession(false);  
//false: new session will not be created  

if(session == null){  
    //not in a session  
    //allow to view the home.jsp page and to login  
    //set an attribute into session  
    session.setAttribute("authorized","yes");  
}  
else{//in case a default session automatically establishes  
    if(session.getAttribute("authorized")==null){  
    //not in a valid session  
    //allow to login  
    }  
    else{//already in session, so cann't view the login page  
    //redirect to the home page by "RequestDispatcher"  
    }  

contact.jsp

Just do the same thing here like
1- if not in session, redirect to home.jsp
2- if in session but session.getAttribute("authorized") gives null ,then also redirect to home.jsp
3- if in session and session.getAttribute("authorized") gives the value "yes" , then
allow to contact.jsp

when logs out

session.removeAttribute("authorized");  
session.invalidate();  

But you will face one problem. When you at contact.jsp and clicks the back button of browser, you will
see the home.jsp ie the login page OR when you logged out and in logout.jsp and clicks the back
button of browser, you will see contact.jsp. To avoid these you have to put these 3 lines in every page
where you want to have access control.in your case the home.jsp and contact.jsp

<%  
    response.setHeader("Cache-Control","no-cache");  
    response.setHeader("Cache-Control","no-store");  
    response.setDateHeader("Expires", -1);  
%>

Answer 3

使用SERVLET使用会话创建登录应用程序请参阅此文章并轻松实用 - 享受程序http://expertlogica.blogspot.in/2014/06/create-login-application-using-session.html