invalid direct reference..--problem with solution.. 2003-10-03 - By George Payne
Back
I would like to implement a fix to this. I think having users bookmark the
login page is a very likely frequent problem.
But..
What happens if you implement this solution and the user has disallowed
cookies? Don't you get an ugly loop?
If the referer header was set, you could use that, but it does not appear
to be. Anyone have a bright idea?
At 08:13 PM 6/28/2003, Stefan Radzom wrote:
>Your problem has just recently been discussed on this list. Ben Jessel
>proposed a workaround which I attached below. Hopefully, this might work for
>you.
>
>Stefan
>
>
> > -- --Original Message-- --
> > From: ben.jessel@(protected) [mailto:ben.jessel@(protected)]
> > Sent: Friday, June 27, 2003 1:42 PM
> > To: tomcat-user@(protected)
> > Subject: Possible workaround for invalid direct reference to
> > login page
> >
> >
> > Java Authentication with tomcat relies on realms. If you
> > access a page
> > protected by that realm you get directed to the login page.
> > However, it is possible to go directly to the login page (
> > this can happen
> > when users bookmark the login page inadvertantly ).
> >
> > This happens in two scenarios:
> >
> > 1) The user is already logged in.
> > 2) The user is not logged in.
> >
> > If you authenticate yourself once you have gone directly to the login
> > page, you get a "invalid direct reference" error. Fair
> > enough, the login
> > page is trying to redirect to itself. Now, I tried to
> > workaround this by
> > checking if the session is null, and if it is, redirecting to some
> > protected page, eg. protected/index.jsp. No luck. It seems
> > that a session
> > is implicitly created, and a new session id gets created.
> >
> > So I've tried a cookie strategy:
> >
> > <%
> > if ( request.getCookies()==null ) {
> > response.sendRedirect("/xxxx/jsp/protected/index.jsp");
> > }
> > if ( request.getRemoteUser()!=null )
> > {
> > response.sendRedirect("/xxxxx/jsp/protected/index.jsp");
> > }
> > %>
> >
> > i.e, we wont have a cookie if we've gone directly to the
> > login page. But
> > we will have if we've tried to access a protected page and
> > then we've been
> > forwarded to a login page, tomcat will give us a cookie.
> >
> > Now if we're already logged in ( which we check with
> > getRemoteUser() ,
> > then we just forward to user to an index page.
> >
> > This seems o.k. However my index page actually includes my
> > login page! I'm
> > planning to get around this with some logic that only
> > includes the login
> > page excerpt if we are not logged in......
> >
> > Ben
> >
> >
>
> > -- --Original Message-- --
> > From: Brian Kuhn [mailto:bnkuhn@(protected)]
> > Sent: Sunday, June 29, 2003 1:16 AM
> > To: tomcat-user@(protected)
> > Subject: invalid direct reference to form login page...
> >
> >
> > Hi all,
> >
> > I've set up Tomcat (4.1.24) to do form based authentication.
> > Everything
> > works great, except I've had to deal with a lot of users that
> > type in the
> > url I've given them, get redirected to the login page, and
> > bookmark the
> > login page before logging in. Later, when they use the
> > bookmark, they get
> > sent to the login page, but get a "Invalid direct reference
> > to form login
> > page..." message once they log in.
> >
> > I understand why this happens, but don't know what to do
> > about it. Is there
> > a way to specify a default page to go to when the login page
> > is requested
> > directly?
> >
> > Thanks,
> > Brian Kuhn
> > Telscape Communications
> >
> >
> >
> >
> > ====================
> > Brian Kuhn
> > bnkuhn@(protected)
> > ====================
> >
> > __ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ __
> > The new MSN 8: smart spam protection and 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> >
> > -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> > For additional commands, e-mail: tomcat-user-help@(protected)
> >
> >
>
>
>
>-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>For additional commands, e-mail: tomcat-user-help@(protected)
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
|
|
