Hi everyone.

Consider the following scenario:

1) User navigates to home page - then logs-in providing username and password. He/She navigates around the site, and then goes to a completely different site [without logging out of our site], and 2 minutes later comes back into our site [either via the Browser Back button, or by typing our URL fresh again, or by selecting a bookmark].

2) Now, the default functionality within JSP will not require the user to re-authenticate if cookies are being used [i.e. the jsessionid will be transmitted from browser to our site, and the original sessionid recognised as long as it hasn't timed-out.

3) If cookies are not being used, the user session is lost, and when he/she comes back to our site,re-authentication will be required and a totally new session created by our Servlet engine.


So to my question:

a) Can we force the user to re-authenticate even when cookies are used? I think HTTP "Referer" property will achieve this, checking when it is null, and if so, redirecting the user to the "login" page.

b)Has anyone implemented such a solution in any other fashion? How?

Thanks

PM