1

I currently have the following includes at the top of all of my jsp files:

<%@ include file="inc/inc_cookie_login.jsp"%>
<%@ include file="inc/inc_protect_page.jsp"%>
<%@ include file="inc/inc_log_access.jsp"%>

The jsps have scriptlets that check for cookie and set a user object in the session if cookie exists, prevents access to the jsp unless a session has been set, write to a text file the User IP, name, page accessed, etc.,respectively.

The scriptlet approach above has worked fine but now that I have a better server set up and can utilize a web.xml file, I have been refactoring my app to best practices. The above is screaming FIXME! Should I be investigating listeners, filters, ?, or is my current approach adequate?

=== inc_cookie_login.jsp ====

<%@ page import="model.STKUser"%>
<%@ page import="model.STKUserCookie"%>
<%@ page import="data.STKUserDAO"%>

<%
if ( request.getSession().getAttribute("STKUserSession") == null) {
    STKUserCookie userCookie = new STKUserCookie(request);
    String userBadge = userCookie.getUserID();
    STKUserDAO userDAO = new STKUserDAO();
    STKUser user = userDAO.getUser(userBadge);
    if (user != null) {
        user.setIpAddress(request.getRemoteAddr());
        userDAO.updateLoginCount(user);
        request.getSession().setMaxInactiveInterval(36000); //set to 10 hours
        request.getSession().setAttribute("STKUserSession", user);
    }
}
%>
Improve this question

1 Answer 1

Reset to default
1

This looks like a good one to be replaced by a filter. Create the filter class and ref it with a pattern in your web.xml. Scriptlets should not be used unless all other options have been reasonably exhausted.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

wouldn't a listener of a new HTTP Session creation be a better choice for a cookie login? It seems over kill to keep checking if STKUserSession is null on every page access. It should be doen once per visitor, right?
It should be once per visitor if you can guarantee that it will be there if the session is not null. You could end up with a valid session that does not contain STKUserSession depending on implementation. But in general, yeah, I'd agree that a listener on a new session could be better.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.