问题描述
|
在jsp Login或Session()中,最好在会话中放入用户名或ID?
并在servlet或jsp页面上进行测试吗?
我在外面的jsp页面中使用此代码,但我认为这不安全
<%if(session.getAttribute(\"username\") == null){%>
<%
String err ;
Connection cnn;
Class.forName(System.getProperty(\"database.driver\",\"com.MysqL.jdbc.Driver\"));
cnn = DriverManager.getConnection(\"jdbc:MysqL://localhost:3306/sondage\",\"root\",\"\");
Statement stat1 = cnn.createStatement();
String Username,Password;
Username=request.getParameter(\"UserName\");
Password=request.getParameter(\"passWord\");
//Le nomre de produits
ResultSet resultat = stat1.executeQuery(\"select * from utilisateur where username =\'\"+ Username +\"\' and password = \'\"+Password+\"\'\");
if (resultat.next()) {
session.putValue(\"username\",Username);
Requestdispatcher rd =request.getRequestdispatcher(\"Vote.jsp\");
rd.forward(request,response);
}
else {
Requestdispatcher rd =request.getRequestdispatcher(\"authentification.jsp?err=1\");
rd.forward(request,response);
}
%>
解决方法
这完全取决于您。我个人只是在其中放置了一个表示“ 1”实体的Javabean,这样我就可以立即访问其所有属性,并且通常在servlet中进行操作。
@Override
protected void doPost(HttpServletRequest request,HttpServletResponse response) throws ServletException,IOException {
String username = request.getParameter(\"username\");
String password = request.getParameter(\"password\");
User user = userDAO.find(username,password);
if (user != null) {
request.getSession().setAttribute(\"user\",user);
response.sendRedirect(\"userhome\");
} else {
request.setAttribute(\"message\",\"Unknown login,try again\");
request.getRequestDispatcher(\"/WEB-INF/login.jsp\").forward(request,response);
}
}
<%if(session.getAttribute(\"username\") == null){%>
Filter
ResultSet resultat = stat1.executeQuery(\"select * from utilisateur where username =\'\"+ Username +\"\' and password = \'\"+Password+\"\'\");