Ok, to resume: 1. The very first operation during request proccessing will be getConnection() con_1 without login/password. login() proc will be called with empty login or will not be called at all. I prefer second option since in both cases session_info won't have any records, and therefore it won't be any access to privileged tables. 2. con_1 is used for checking if user logged-in using userid that is stored in HttpSession after successful login/registration. 2-1. User not-logged-in. 2-1-1. There is no DB operation on this servlet that requires authentication. 2-1-1-1. con_1 released after DB communication job is done. logout() proc is not called. 2-1-2. There is a DB operation on this servlet that requires authentication. 2-1-2-1. User redirected to login. con_1 released, logout() proc is not called. 2-2. User logged-in. 2-2-1. con_1 is used for getting login, password, server from DB using userid from HttpSession. 2-2-2. con_1 released. logout() proc is not called. 2-2-3. Call getConnection(login, password,..) which returns con_2. login() proc called with login/password. 2-2-4 con_2 released after DB communication job is done. logout() proc is called. Regarding steps 2-1-1. and 2-1-2. If the DB operation needs authentication, it will return 'access denied' code. Please comment.
Authoright © Total Knowledge: 2001-2008