Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

JSP Logging out  RSS feed

 
abiodun emmanual
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Im sorry if this sounds really silly (here goes),
when a user logs out of web site, and they are directed to the "You have now logged out, thankyou for using the site" page, how does the
application know to invalidate the authentication stuff that was entered by the user when they logged in, ie if the user logs out and leaves the
computer is it possible that another user on the same computer can view the earlier users info by pressing the "back" button, Or is the solution to invalidate the the controller session bean.
Or just as there is a special notion of a Login page that u can specify in the web.xml deployment descriptor, that the app knoiws it must go to to for authentication purposes, is there one for Logging Off/out you can specify. Thankyou 4 your time
 
Ta Ri Ki Sun
Ranch Hand
Posts: 442
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
when you log in with correct userName/password a valid session should be created, and when you log out , that session is invalidated, and any resources still held are released.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Almost, but not quite.
If you allow the application server to manage authentication, then there is extra information that is stored by the server. In some cases it may be necessary to execute some extra code against the server to get it to release this information as well.
I'll give an example of the behaviour for Form based authentication against WebSphere 4.0.3, since it is what I've been using most recently.
With Form based authentication, you have a login form that posts data to the j_security_check servlet. This servlet is managed by the server, and through configuration settings it knows how to authenticate someone, and from that point it also knows what they are allowed to do and can therefore manage authorisation.
You can also do this login functionality by hand using the SSOAuthenticator class (WebSphere specific). You do this (for example) when someone registers with a username and password, and you don't want the to have to go through the login page again since you already know everything you need.
When you want the person to logout, you should reverse the process before invalidating the session to allow the server to clean up anything it needs. It may also be the case (such as with WebSphere and LDAP) that the session and authentication details are two different things. The authentication details are stored on an encrypted cookie called the LTPAToken, which still exists if the session in invalidated.
We had slightly different situation where we were using the session to store session data (surprise surprise), and assumed the session would be valid till the user logged out. Not true. When the session expired, the LTPAToken allowed the user to be authenticated again, and WebSphere hands out a new session ID. It gets very confusing if you are assuming some data is available on the session.
In summary: if you are using a container based authentication mechanism, read the documentation and do what the container expects for login/logout behaviour. I once believed session.invalidate() was enough to log someone out, but IBM cured me of that misconception.
Oh, and before someone tells me what the J2EE spec says, get the writers of WebSphere to read it first!
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"lizreb",
Your name does not comply to our naming convention (Described here)
Please edit your profile, otherwise your account will be in danger of being deleted.
Thanks,
Dave.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!