This was a hot topic for web enable application when we were doing our programming assignments for our degree (maybe when the due dates getting nearer). Students always came across this problem and were unable find a better solution. This issue came when or after a registered user logs out from the member’s area after viewing some member’s only pages, non registered users should not be able to see the restricted pages which was meant to be only for members.
What happens in a browser is as we know that all the pages viewed get cached, so later it can be viewed by anyone. This is mainly a problem when a computer is shared by many people. So to eliminate this problem we are suppose to use some kind of a mechanism to stop caching of these pages. This I am talking in java server side scripting point of view.
A solution is to insert some header tags in the html,Servlet or jsp (java server page) pages for stop caching. First we will look at the html header tags.
<!-- Forces caches to obtain a new copy of the page from the origin server -->
<meta http-equiv="Pragma" content="no cache">
<!-- Directs caches not to store the page under any circumstance -->
<meta http-equiv="Cache-Control" content="no-store">
<!-- Directs caches not to cache the page under any circumstance -->
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="expires" content="-1">
The same tags can be inserted in a java servlet page using the response object as follows.
response.setHeader("Pragma","no cache");
response.setHeader("Cache-Control","no-store");
response.setHeader("Cache-Control","no-cache");
response.setHeader("Expires","-1");
The other solution is to have session variables to validate the user when entering a restricted page by directly typing the URL. Each page has to check the user type if there are many types of users (member, admin or moderator) who are authorized in accessing different kinds of pages which consist with different functions and for an user id. These values should be created in a successful login and stored in session variables to check them through out a session. Meanwhile intervals can be set to invalidate a session (session expire) when the session is not active for a particular moment.
First we’ll look at some servlet codes to set session variables for checking purpose.
HttpSession session = request.getSession(true); //creating a http session object
session.setAttribute("ID",""); //creating a session attribute to store the user’s id
session.setAttribute("Type",""); //another session attribute to store user type
try
{
//Authenticate the Member
if (user selection is equal to type Member)
{
*Get the password for the user’s input id and assign it to a string db_ password
if(user’s input password equals to db_ password)
{
//set session attribute ID with user’s ID
session.setAttribute("ID", **request.getParameter("ID"));
// Setting the type for security purpose - block browsing with an URL directly
//set session attribute type with user type
session.setAttribute("Type",request.getParameter("type"));
… //Any action to be performed
}
else
{
…//necessary action for the error
}
} //End of If
else
{
... // Action for the error
} //End of Else
} //End of Try
catch(Exception e)
{
…//Action for the caught exception
} //End of Catch
* get the password through a method.
** getParameter is a method of the Request object to read a parameter.
Second, check these session variables in the restricted member’s page.
HttpSession session = request.getSession(true);
if (session.getAttribute("ID") == null)
{
... // necessary action
}
else
{
if (*String.valueOf(session.getAttribute("Type")).equals("Member"))
{
... // Rendering the page
}
else
{
... // necessary action
}
}
* Changing a session object to String type.
The same can be repeated to check the other member types too. I personally prefer to write these methods in a different class and invoke them every time using an object rather than writing in all the pages. And also I recommend write all restricted pages in jsp so that it can be used to write scripts to check the above.
Cheers!!!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment