Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

problems invalidating a session  RSS feed

 
Sergio Barreros
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have read a lot of posts about this, but none of the solutions have worked for me.
The problem is that I have a log in page, instanciate a session, set variables to my session and when I logout I use the session.invalidate(); method
to keep security of my pages I use an if statement like

String loged=String.valueOf(session.getValue("logedin"));
if(loged.equals("false")|loged.equals(null)|loged.equals("")|loged.equals("null")){%>
<jsp:forward page="timeout.jsp">
</jsp:forward>
<%}%>

When I click the back button I try to use one of the protected links and they do not work which is good, but when I click the refresh browser then all HELL breaks loose and I am back in my session sa if I never logged out.
I have tried using the no cache tags, but do not work with browsers except with Internet Explorer. I have even tried to invalidate the same session twice and still nothing.

If there is anybody who has figured out this problem I would really appreciate it if you could tell me how to fix it.

Thanx
 
alan do
Ranch Hand
Posts: 354
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
the problem is not in the codes you posted, but where ever + however you create that session attribute "logedin". if you depend on a POST to do your login and based on your post data to set the session attribute, back button and refresh will certainly do it. if somehow you pass the login information into your GET, the same thing will occur.

try also session.setAttribute("logedin",false); when the user logs out. before processing the request, check the attribute to see whether or not it's true.
 
Sergio Barreros
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the suggestion, but still if I set the logedin attribute to false when I click the logout button and then hit the back button the same thing occurs. I anyone has any other suggestions I would really like to read what you have to say.
I also noticed this, this is the way the webapp works I have an index page where the user enters the user name and password,
Then that gets post it to the login.jsp page wich just authenticates the credentials and forwards them to the home.jsp page if log in successfull.
When I hit the back button after I log off it takes me to the home.jsp page which seems natural being the page which I just came from and click on a secure link which then kicks me out to a timeout.jsp but then if I click the back button, it sends me to the login.jsp page which when I refresh, I guess recreates the session and I can use any of the secure links.

I tried a site of a person that is using jsp's as well and knows more about java then me and behaves the same way and acts the same way and this is a LIVE site I can't just call him up and tell him because of personal problems, but maybe I'll drop him an email.

I am begining to think that this is a java flaw, or I am just plain stupid because I've been at it for a few days.

Thanks guys
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can just bind his status, as logged in, to its session after a successful login. This way you can check whether the request is coming from an authenticated user or not on every request. Because the session which is automatically created doesnt going to have those credentials bind with it.

By the way, what and how are you doing on logout?
[ April 30, 2005: Message edited by: Adeel Ansari ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!