• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

How to remove JSESSIONID cookie on session invalidation

 
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am calling session.invalidate() in my web application but this does not remove the JSESSIONID cookie. So one of our customers has raised this as a security threat. They fear a scenario where a different user can do a back and refresh on same browser and use previous user's session.

So let me know of a way of invalidating the existing JSESSIONID cookie once session.invalidate has been called.
 
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Once you invalidate the session , how can a user do a back and refresh and access the same ( already invalidated ) session..?? Even if the JSESSIONID is still present the session whose ID it is holding is already invalidated , so how can you get that session back
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I guess since we are using the same browser, it reuses the existing JSESSIONID.
 
abhishek pendkay
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My point is when you say session.invalidate() the session object is destroyed , so even if you use the same browser which will use the same JSESSIONID how will you be able to access an object( the session in this case ) after it has been destroyed..??
 
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Puneet,

I agree with abhishek.Please check your problem again.May be some other issue.
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I will try and put the problem differently:

I have a web application which presents a login page to the user.User enters his user id and password and is logged in. He then browses to another page and clicks Exit to logout. Logout also results in a call to session.invalidate. After this user again clicks on Back,Back and Reload button browser. he is again logged into the application without having to reenter the user id and password.

Any idea how I can avoid such a situation?
 
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

After this user again clicks on Back,Back and Reload button browser. he is again logged into the application without having to reenter the user id and password.

Any idea how I can avoid such a situation?



Puneet,

How can he log in again with out entering username and his password?

Have a look this FAQ to avoid Browser Cache when the same URL is called agian.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

he is again logged into the application without having to reenter the user id and password.



No, it just looks like he is logged into the application. Any form submission from that old page will have the old JSESSIONID cookie attached. When your program attempts to retrieve that session, it will fail. It is up to you to provide the proper logic to detect this.

Bill
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Bill,

There is no failure. I should tell that its a POST request that is getting fired when user does a RELOAD after hitting BACK. Also I did not understand your statement that it is upto us to handle it properly. Can you elaborate a little more on this please.

Regards,
Puneet
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If the session was truly invalidated, your code that receives the POST request should not be able to retrieve the old session. Do you have any evidence that this is actually happening?

If you are using getSession() and it does return a session it should be a new one - see the isNew() method of HttpSession.

You should be using getSession( false ) which would return null if the old session has indeed been invalidated.

Bill
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Bill,

I agree that the old session is not getting retrieved. But my problem is that using a combination of Back and Refresh I am able to login to the application without having to enter the credentials again. Where are the credentials being stored? Does the browser store them in a cookie? If yes, is there a way I can invalidate the cookie.
 
Ranch Hand
Posts: 621
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi puneet


This has been already discussed somewhere before.
see if it helps


Dhwani:>Winning is not important but it is the only thing.
 
Always look on the bright side of life. At least this ad is really tiny:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic