Session Invalidation and Timeout !

Hi Guys !!!
Due to security reasons it is required that in case the user is currently sitting idle for too long (say 5 min's) then the application "should automatically log the user out"
Secondly, i am also having problems destroying a session when the user clicks on the "logout" button.
Following is the way i have implemented :-
In the Controller Servlet i am making a check to see it the current Session is valid by invoking the method session.isRequestedSessionIdValid() and if it is not a valid session then the user should be redirected to the login page. However, i noticed after printing the session ID on each jsp that when the "logout" button is clicked and the user is directed to a "thank you" page then, on that page a different session id is being printed on the jsp page. Now, when the back button is pressed and any of the site links are clicked the user gets to have a look at all the site information as though he has'nt yet logged out.
How should these problems be solved ???
Pls Suggest
Thanks Guys !

Originally posted by Sam Furtado:
Hi Guys !!!
Due to security reasons it is required that in case the user is currently sitting idle for too long (say 5 min's) then the application "should automatically log the user out"

you should put a entry in the web.xml file like
<session-config><session-timeout>xxx</session-timeout></session-config>
xxx should be in minutes

Secondly, i am also having problems destroying a session when the user clicks on the "logout" button.
Following is the way i have implemented :-
In the Controller Servlet i am making a check to see it the current Session is valid by invoking the method session.isRequestedSessionIdValid() and if it is not a valid session then the user should be redirected to the login page. However, i noticed after printing the session ID on each jsp that when the "logout" button is clicked and the user is directed to a "thank you" page then, on that page a different session id is being printed on the jsp page. Now, when the back button is pressed and any of the site links are clicked the user gets to have a look at all the site information as though he has'nt yet logged out.
How should these problems be solved ???
Pls Suggest
Thanks Guys !

When the user click logout, you should explicitly invalidate the session by call session.invalidate()

Hi! Bill
Thanks for your reply !
I have currently implemented it in the same fashion. I am aware that if the user's session has timed out then, the container would go ahead and destroy that session. However, at that point of time i would'nt want an internal site page to still be viewable to others. In other words, if the system is idle for some time then, an automatic redirection should take place. This would be very much similar to how windows 2000/NT based systems maintain system security wherein if the user has not used the system for a specified amount of time then, the system automatically logs off and goes into a sign in mode(normally ctrl-alt-del is pressed to specify user identification details).
Similarly, in the second problem wherein the user clicks the sign out button. In this case i am invoking the Controller Servlet which in turn is invoking a particular servlet which peforms the task of invalidating the current session. This is done by invoking session.invalidate(). Following which the user is forwaded to a "Thank You Page". As mentioned earlier to track sessions i am printing the session id on every page so, it is on this page too. The result of the session id printed on this page is a different session id which, is expected and right. However, when the user now clicks on the back button he is still able to view the complete site. Furthur, when the user clicks on any link now, what gets printed is the new session id. Also, since i have implemented this application using the MVC Pattern wherein every request is first sent to the Controller Servlet wherein, i am checking whether current session is valid by invoking the request.isRequestedSessionIdValid() and if not redirecting the user to the Login Page. However, this does'nt happen since, as in the above senario after invalidating a users sesion and redirecting the user to a thank you page a new session is now created which is now considered by the browser to be a valid session.
How should these problems be solved so as to have stronger site security implemented ???
Pls Suggest.
Thank You

This is just a shot in the dark, but have you tried redirecting the client using response.sendRedirect()? I don't know why the container isn't invalidating the session, but this would force a new request from the client, and may solve the problem (in a way that shouldn't be container specific).
Chris

use a hidden frame , set a global javascript variable counting time whenever there is an activity resetting the time counter.
whenever there is 5 min completed, call session invalidating jsp page.
from there .
hope it will help

Hi, Sam,
I think for the first problem, prabhat's suggestion will be helpful. Since HTTP is stateless protocol, there is no way that the container knows about the browser unless there is a request coming from the browser.
For the second problem, you have to include some session checking page in your JSPs. It should be very simple through <%@ include %> tag.
For instance, <%@ include file="sessioncheck.jsp" %>
and the sessioncheck.jsp will look like the follwing:
<% if(session.isNew()){
//do something
}
else {//do something else} %>
Hope this help.

In your Thank You page, try putting this scriptlet on the first line:
<%@ page session="false"%>
This way, you page will not create a new session.
Hope this helps!