Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Logout using HttpSession  RSS feed

 
Jane Cosey
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I've read many post on creating a logout method. I've tried all the ideas but they don't seem to work. I want the user to logout and not go back to the page by using the back button and other ways. A lot of people are saying to use request.getSession().invalidate(); but this isn't working for me. I'm using a servlet and a jsp.


Jane

_----------------------------------------------
[ January 28, 2005: Message edited by: Jane Cosey ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The pattern mentioned in this thread should take care of the "back button" issues for you:
http://www.coderanch.com/t/359668/Servlets/java/display-data-servlet-jsp-page

Call session.invalidate() just as you were when the user makes the inital post. Then redirect them to another page. If they try to use the back button, they will need to resubmit the last post (the logout), which will put them back where they just were. They will soon realize that this is an endless circle and move on or log in again.
 
Jane Cosey
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well thanks but I'm not asking for "How to display data from a servlet to a jsp page" this is where the link you provided takes me. Can somebody tell me what I'm doing wrong??? If you find something wrong in the code I provided please show by example. Thanks

Also I am using the Session.invalidate and redirecting back to the login page but all they have to do is press the back button and refresh. When they do so they are back to the page where they logged out.


______________________________________
[ January 27, 2005: Message edited by: Jane Cosey ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Read the whole thing. It started out with a question about forwading from a servlet to a jsp but turned into a discussion about a pattern that will work for your situation.

You are invalidating the session correctly. Now you just need to put in a trap to stop the user from backing into any of your pages.
 
Jane Cosey
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
----------------------

Ok I read it and you are setting up your servlet different but I have the same thing in a different way. I am forwarding the page and it doesn't work like you are explaining.


I get forwarded to the login page but I can use the back button to return to the page I logged out of.



---------------------------------------
[ January 28, 2005: Message edited by: Jane Cosey ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using a request.sendRedirect call?
[ January 27, 2005: Message edited by: Ben Souther ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And does the logout button send a POST request?
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think its something on the client-side, something comes up from browser cache. Because sometimes when i shuts down my tomcat, even then i can able to do back and forth via browser button, but offcourse can't able to refresh after logging out or server shutdown. And just to add, I am using post method.

thanks.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You will get the message page expired if that page try to retrieve some attribute from the session, otherwise not sure. It means you would get a translation time error because your session is invalidated.

Sometimes when you click your back button even then previous page tries to get some attribute from the session, although it is there in the cache.

please, correct me if wrong.

cheers.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That pattern works for me,
The user clicks the logout form which sends a post request to the servlet.
The servlet invalidates the session and sends a redirect to another page.

I then take it a step further (which may be the difference) and have a JS function on the page make another post to the logout using the onload event.
On the second logout, I forward to the login page.

At this point, if the user tries to use the back button, they have to go through two Post traps (the browser telling them that they have to refresh due to an expired page). If they try to refresh either of them, they just end up logging out again and are brought to the same place.

In my case, using JS is OK because our app requires it to do anything in the first place. It's not a public application. Users with JS disabled would not be able to view any sensitive information to begin with.
If you're concerned about using JS, you can use a meta-refresh instead. I believe that's what this BBS uses when you make a post.
 
Jane Cosey
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
----------------------

Ben,

I'm using what you're using well except for getServletContext();. I'm using cases and reference request.getRequestDispatcher(forwardPg).forward(request, response) once instead of using it in every case and method that I created. It's more managable. Anyway you asked "And does the logout button send a POST request?" I'm using a string and it goes to the logout method that I displayed above. So what is the code (JS) for the JSP that you mentioned above? This may be my problem.




----------------
[ January 28, 2005: Message edited by: Jane Cosey ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For the logout button:


The servlet then redirects to a page that has this:


If the servlet sees "relogout" as the value, it sends the user to the login page.

The 2nd part is probably redundent but I wanted to make sure the user has been to another page before being sent back to the login.
This creates two "Post Traps" as I call them.

I'll stress again: Using Javascript for security is not a good idea. In my case,
1. it's redundent (it's in addition to a server side solution) and
2. I already know that the user has a browser that supports it and has it enabled long before they would ever get to the logout section.

If you have to support older browsers or if it's at all possible for the user to see sensitive information with JS disabled, don't bother with any of this.
 
Jane Cosey
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well Ben thanks for your time but java should be able to make this work with out js. This is just a waste of time.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's more about understanding how browsers work. That it's Java, PHP, Perl, or whatever on the server has nothing to do with it.

Good-Luck
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!