• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session problem

 
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi everyone,
I have a small application that I am developing and now I am trying to use sessions. I want to set the session when a user logs in and invalidate if when the user logs out. In between the login and logout there are many things that a user can do (many possible actions).
I have set the scope = "session" option in my struts-config.xml file and also I have set the session when a user logs in and invalidate it when a user logs out. Some codes snipets are as follows. First in my struts-config.xml I have...


my LoginAction.java and LogoutAction.java are as follows.



Now, when I am testing it, I login do a lot of action and logout. I then open another browser and try to gain access and do some actions and it still lets me in. In other words, after I logout, someone can just gain access to the system. can anyone suggest me how I correct this error? or perhaps link me to a similar example that uses session?
Thank you very much.
lee
 
Ranch Hand
Posts: 326
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My guess is that what you're trying to control access to isn't checking to see if the user is logged in.

Try this: restart your context, open a new browser, then without logging in, try to access your system. If you can get in, you'll need to add code to verify that the user is logged in.

Personally, I check 'user logged in' status on every page and before performing any requested action.
 
lee kris
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Ray Stojonic and everybody,
Ray, you are right I was not doing the user-check on every page. I understand what you want me to do but am not sure how. I have never done it before. Do I add a "user checking status" on all the actions (java files)?


Do I also need to set scope="session" in my struts-config.xml where all the actions are being used as the forward path?
A snipet of code would be very helpful.
I am thinking the following might do but not sure.



Thanks for your response and patience.
Lee
 
Ray Stojonic
Ranch Hand
Posts: 326
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's the basic idea

To that I would add some code to check if the user is valid, like:



because a failed login would most likely still cause a user object to be placed in the session, even though the user failed authenication.
 
lee kris
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ray,
I will do that and update you of the progress by tomorrow.
Thank you once again,
Lee
 
lee kris
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Ray Stojonic and everybody,
I followed the suggestion you gave me and the session time out works. Thanks. However, I have also noticed that it does not work in certain instances. For instance, If I login and go to some pages and logout and then past a url on the same browser, it lets me in (unless and otherwise it has been 30 minutes). if I logout the session should invalidate and I should not be able to access any pages after that.
on the other hand if I kill the browser and open a new one and then past a url (one of the pages) then it says sessiontimeout(which is what I want). Also after 30 minutes(struts default session time out) of inactivity it does timeout (this is good). So the only problem that I have it if I login and go to some pages and logout and, immediately, past a link which should only be accessed if a user has a session, on the same browser, then it does NOT say sessionTimeout or invalid session. I do invalidate in my logout action as follows:

So can any one please suggest to me what I could be missing.
Thanks guys.
lee
 
Ray Stojonic
Ranch Hand
Posts: 326
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Lee,

Assuming that you're using some sort of User bean, I'll guess that your servlet access code goes a little like this:

In other words, it depends on the user having a validated user bean and a current session.

When you invalidate the session on logout, a new session immediately takes its place, so the session portion is valid.

Contrary to what we might think, the user bean is still hanging around at this point, so on pasting a URL, the user can still get in after logging out.

The solution (hopefully) is rather simple, prior to invalidating the session, invalidate the user. (don't just shut the door, also take away their key)
[ September 12, 2005: Message edited by: Ray Stojonic ]
 
lee kris
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Ray,
I get what you said about invalidating the user.
Here is what I tried and related codes.


and my logout Action is as follows( this is where I am invalidating the session and the user).



I tried this and it did not work so I am just not sure if this is the sure right way of invalidating the user.
User, by the way, is a class that deals with all of the user's information
Thanks.
lee
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The problem reported could have been due to the browser caching pages...A Google search for 'Solving the logout problem' should yield an article describing some solutions for browser caching.
 
Ranch Hand
Posts: 134
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Um, I know it's been a long time since this topic's been active but instead of adding the code to check if the user is logged in on every page, I think it would be loads better to use a filter to do the same. That way, if you have a single point of control; if you need to modify the code, you do it in one place and you won't accidently miss out some JSP/ Servlet either.
 
reply
    Bookmark Topic Watch Topic
  • New Topic