• Post Reply Bookmark Topic Watch Topic
  • New Topic

Killing a session in a servlet!!

 
sachin pathak
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I will sumarise my problem here for your reference.
I am having a delete order page showing number of orders.
This page is having code which checks whether the session has a object
called admin. If this object is present in session then only the further
orders are shown othewise we forward the user to the login page.
On clicking logout link we call
session.invalidate();
Also we are explicitly removing admin object from the session by calling
session.removeAttribute("admin");
Now I take following steps.
1. Login
2. go on delete orders page.
3. logout from the system.
4. click the browsers back button to go back to the delete orders page.
5. Try deleting some orders.
Ideally since the admin has logged out, he should be forwarded to the
login page but this is not happening. It is allowing the orders to be
deleted.
On the other hand I could not understand the reason why simply
session.invalidate() wont work ?Is there any misunderstanding about the
way session.invalidate() works. Please help out.
Thanks in advance
Sachin
 
Praful Thakare
Ranch Hand
Posts: 643
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sachin,
If I got your words,this is what you are doing...
1) before displaying orders in delete orderpage,you check for admin role in session.
--This means if admin role is found,orders are displayed,and they can be deleted.Hence if you click back button as the page is cuming from cache there is no session check and all orders are visible n can be deleted.
So I would suggest check for adming role when delete button is processed.
2) If I m wrong in 1st point i.e you have check on delete button,then what is first statement int your logout page,session.invalidate or session.remove.....??
I guess session.remove.... must preceed session.invalidate();
Hope this gives you some help
Cheers
Praful
 
sachin pathak
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am removing the object from the session before I am invalidating it.
I am using a value object of type Member stored in the session. Member class has a method called isAdmin which decides whether the user is admin or not ! We are also checking the validity of the user in actual delete action code. But the main problem is in spite of invalidating the session, the admin object can be retrieved from the session. This is a real pain in wrong place.
I searched the web for the problem and it seems that this problem is prevailent all over the world but no body has suggested a solution and also nobody is knowing why this issue occures.
I am pasting some links below to give the gravity of the problem. Javaranch itself has discussed the problem in past quite a few times but no body is sure why this happens. Please visit
Click Here for link 1
If anybody knows the issue please help.
Thanks in advance
Sachin
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!