I am leaning about sessions in jsp.
I have a application which send login and pass to servlet.
If they correct servlet create a new session and send a page.jsp to client.
Page checks if any session exist if not not create new one and blocks user.
I want to block a possibility to access to this page when there is any session,
but if I use:
<%@ page session=false %@>
I will loose access to old session
(if she exist).
How to force jsp to connect to old session but not to create new one?
If I miss something I will by very grateful for :
- best practices
- links, explanation etc
- any advices 🙂
You can’t create a session. You can only get a session, and this will return a previously created session (if present), or create one and return it (if no session present yet).
Even non logged-in users can have a session. In fact, they will have one by default if they browse to a JSP which doesn’t have
session=false. The authentication should simply getthe session, and store some
authenticatedflag (oruserIdtoken) in the session.If you don’t want authenticated users to go to the login page, then when they go to this page, check if the
userIdtoken is already in the session, and redirect to some other page.