• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

Logout page

 
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have created a JSP page that takes the username and password of the user and if correct will forward them on to the appropriate JSP with admin rights to my database.
I am wondering now what would be the simplest method of implementing a logout so that when the user logged out they could not use the browser back button to go back to the admin page. I have added already the code to keep the browser from caching any of the pages so I think it is only a matter of validating and invalidating the session in the right places.
Could someone please give me an example of how to properly use the session validate and invalidate to keep the users of my web app to be able to use the back button and then do a refresh to get back to the admin page?
Thank you!!!
 
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Moined Mogul:
I have created a JSP page that takes the username and password of the user and if correct will forward them on to the appropriate JSP with admin rights to my database.
I am wondering now what would be the simplest method of implementing a logout so that when the user logged out they could not use the browser back button to go back to the admin page. I have added already the code to keep the browser from caching any of the pages so I think it is only a matter of validating and invalidating the session in the right places.
Could someone please give me an example of how to properly use the session validate and invalidate to keep the users of my web app to be able to use the back button and then do a refresh to get back to the admin page?
Thank you!!!



First thing that you should do is when the users are logging in, set an attribute.
session.setAttribute("logged", "1") OR add this code on the top of the JSP pages
<%
if(session.isNew())
{
response.redirect("PleaseLogin.jsp");
}
%>
When logging out, add this line:
session.invalidate();
Also, on all of your pages, add the HTML codes for non-caching in the browser. It only works correctly if HTTP 1.1 is activated I believe. But either way, if the viewer tried to click on any links on ur pages, the code above "session.isNew()" will forward them to another page, therefore, protecting any changes.
 
Moined Mogul
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So should I add this code:
<%
if(session.isNew())
{
response.redirect("PleaseLogin.jsp");
}
%>

to both my login.jsp and my admin.jsp???
And then just invalidate the session in my logout.jsp???
That is it???
 
Rehan Malik
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Moined Mogul:
So should I add this code:
<%
if(session.isNew())
{
response.redirect("PleaseLogin.jsp");
}
%>
to both my login.jsp and my admin.jsp???
And then just invalidate the session in my logout.jsp???
That is it???


Well...close. You don't want to add that code to your "login.jsp" page if that's where the user will be adding the information. I'm guessing that the redirect should be as follows:
response.sendRedirect("login.jsp");
DO NOT add the check to see if the session is new on the login page or else you might end up in an infinite loop.
If you only have one page that needs the protection, add the code to JUST the admin.jsp page.
You also have to add the HTML headers in order to prevent caching and to expire the content as well.
I BELIEVE that the code in JSP for the headers is as follows:
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("max-age", 0);
response.setDateHeader("Expires", 0);
%>
This MAY not work since I've had reported problems of not being able to get this to work. This works with HTTP 1.1 protocols from what I remember.
The person may still be able to go to the admin page by hitting return BUT they won't be able to change the content.

 
Moined Mogul
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got this error when I added the code you suggested to my JSP pages.
Compiling failed
.\home\WEB-INF\temp\admin_jsp.java:78: Method redirect(java.lang.String) not found in interface javax.servlet.http.HttpServletResponse.
response.redirect("adminlogin.jsp");
 
Rehan Malik
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
WOOPS! Sorry
I meant this:
response.sendRedirect("login.jsp");

Originally posted by Moined Mogul:
I got this error when I added the code you suggested to my JSP pages.
Compiling failed
.\home\WEB-INF\temp\admin_jsp.java:78: Method redirect(java.lang.String) not found in interface javax.servlet.http.HttpServletResponse.
response.redirect("adminlogin.jsp");


 
Moined Mogul
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That is what you had quoted before....I am not getting the error now but can still get back to that page if I hit the back button and then do a refresh of the page???
Please help???
Thank you.
 
Moined Mogul
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The adminlogin is the actual name of my login.jsp file
 
Rehan Malik
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Moined Mogul:
That is what you had quoted before....I am not getting the error now but can still get back to that page if I hit the back button and then do a refresh of the page???
Please help???
Thank you.


Hmm - I wonder if there's a header where you have to set the content type and the HTTP Protocol to use. I don't have the book on me which has the list of all the headers on me but let me look around real quick here at work.

----------------------------------------
okay try this:
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
if (request.getProtocol().equals("HTTP/1.1"))
{
response.setHeader("Cache-Control", "no-cache");
}
%>
(I'm running out of ideas =)

[This message has been edited by Rehan Malik (edited July 11, 2001).]
 
Moined Mogul
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you so much for your help...I would really appreciate it if you could look...thank you...
 
Rehan Malik
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Moined Mogul:
Thank you so much for your help...I would really appreciate it if you could look...thank you...



okay try this:
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
if (request.getProtocol().equals("HTTP/1.1"))
{
response.setHeader("Cache-Control", "no-cache");
}
%>
I'm running out of ideas =)
Jump in anybody if you're reading this as well =)
 
Rehan Malik
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rehan Malik:

okay try this:
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
if (request.getProtocol().equals("HTTP/1.1"))
{
response.setHeader("Cache-Control", "no-cache");
}
%>
I'm running out of ideas =)
Jump in anybody if you're reading this as well =)



IF that doesn't work, try this:
response.setIntHeader("max-age", 0); //IE only;
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.addHeader("Cache-Control","no-store");
response.setHeader("Pragma", "no-cache"); //HTTP 1.0
response.setIntHeader ("Expires", -1); //prevents caching at the proxy server
response.addHeader("cache-Control", "private"); //IE5.x only;
(Source - Sun's JSP Forum - Posted by sunnyliu)
I'm giving the author the credit, HOPEFULLY, he knows this code works.

 
Rehan Malik
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Moined Mogul:
I have created a JSP page that takes the username and password of the user and if correct will forward them on to the appropriate JSP with admin rights to my database.
I am wondering now what would be the simplest method of implementing a logout so that when the user logged out they could not use the browser back button to go back to the admin page. I have added already the code to keep the browser from caching any of the pages so I think it is only a matter of validating and invalidating the session in the right places.
Could someone please give me an example of how to properly use the session validate and invalidate to keep the users of my web app to be able to use the back button and then do a refresh to get back to the admin page?
Thank you!!!


Well according to the lists that I've seen, the codes for setting the headers *should* work. As far as your original question about invalidating the session, if the user tries to refresh the page after you logout, they will be sent to the login page.
 
I once met a man from Nantucket. He had a tiny ad
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic