Session ID not the same in my java ee application

Question

Hi Ive written a application with a custom login system. And then written my own security filter for it which sets the area that can be accessed. Yet i always get redirected to the login page and then to the index page with is the logged in home page. I have discovered that the session ID is different from when i login to when i try to use something that is restricted. Here is my code:

public class securtityFilter implements Filter {

public void init(FilterConfig filterConfig) throws ServletException {
    //To change body of implemented methods use File | Settings | File Templates.
}

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) servletRequest;
            // if there is no userBean, then they have not gone through
            // the login, so kick them to the login page
            if(null==req.getSession().getAttribute("username"))
            {
                ((HttpServletResponse)servletResponse).sendRedirect("../Login.jsp");
                System.out.println("Redirected - No session");

            }
                    // otherwise, let them go to the page/resource they want
                    filterChain.doFilter(servletRequest, servletResponse);
                System.out.println("Gone through Filter");

              //  System.out.println("In Filter Servlet: "+ req.getSession().getId());

            }

public void destroy() {
    //To change body of implemented methods use File | Settings | File Templates.                   
}

}

Here is my web.xml file:

  <filter>
     <filter-name>SecurityFilter</filter-name>
     <filter-class>filters.securtityFilter</filter-class>   
</filter>
<filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <url-pattern>/add/*</url-pattern>
</filter-mapping>

So if anyone can help me with this problem them please. If you would like anymore code then let me know. Thanks in advance Dean

Answer 1

Try changing

if(null==req.getSession().getAttribute("username"))

to

HttpSession ses = req.getSession(false); // null if no current
if(null == ses || 
   null == ses.getAttribute("username"))

so that it never creates a new session inside your filter. Let the login page create the sessions.

Answer 2

In your login servlet you have

while (rs.next())
{
  HttpSession session = request.getSession(true);
  String tmp = rs.getString(1);
  System.out.println(tmp);
  session.setAttribute("username", tmp); 
  count++;
 }

So if you have no username attribute in your session, it is because this code block is not being executed. I assume that you are looping through the results of a database query, so check whether the actual query that you are executing returns any results.