My problem is
1) I have login.jsp which takes a password. User is admin by default.
2) I stored the password in a notepad file and authenticated using it.
3) After i logged in i will get demo.jsp which has 3 frames.
4) In the header frame i provided an signout link. When i clicked it will go to login.jsp
5) Am struggling here.
a) After loggin out when i clicked back, its going to demo.jsp even though i invalidated the session.
b) By searching in the google i pasted this code in my jsp pages
This is working finein INTERNET EXPLORER but not in FIREFOX. And also i cant understand the code which i pasted. Can anyone please help to understand and get rod of my problem both in internet explorer and firefox.
(Not actually disable the button, but does not allow user to go to the previous page, even on clicking the back button).
When login.jsp is being displayed after the session is invalidated (note.. here session is already expired), then if you disable the back button..
User will not be able to go to demo.jsp and You session is already expired.
could work out pretty well in most cases.
2. In some cases, the session might be invalidated. But the page will still be rendered. I think I gave a session check at the top of every page.
Something like a code where the session is checked for a value (a value that will be inserted only if the login is valid and the session has not been invalidated), which if not present would say that the session is expired and redirect to the login page.
-edit- Can this be put in a jsp:include page??
3. The above would take care of most of the cases. The next problem comes with Firefox mostly I think (-edit- No, most of the browsers ). When you press the back button many times, you reach the login page where the browser asks if you should send the data again. Click yes and bang! You are back as a logged in user. Here you could edit the form to add a variable form value which changes everytime a user uses that page - we used the current time in milliseconds which is verified. This can be seen to check if the login page that is being used is current or not. If its reached by a back button, the form value will be the old one which can be checked with in the login script.
Dont know if this is the link here. But this seems to explain the same things that I had read. Solving Logout Problem Properly and Effectively - Java World
-Edit- Do correct me if i am wrong somewhere. Also do point out if there is something wrong with this approach of solving the logout problem.I use this extensively in my PHP applications.
I seem to be not that good at explaining things to people. Wouldn't it be better if I leave everything to the person who did the explanation in Java World (Kevin H Le).
I would say I explained it in a mashed up way. So, to clear up, please read the article mentioned in the link.
One question about the same thing to everyone else. What if I include the code for session check using a jsp:include into the page? Will it still work and redirect?
And do shoot if you have any more questions?
I visited your link but i couldn't understand clearly the following
To fix this problem experienced in logoutSampleJSP2, logoutSampleJSP3's login.jsp should contain—in addition to the username and password—a hidden field called lastLogon that is dynamically initialized with a long value. This long value is obtained by calling System.currentTimeMillis() and denotes the current number of milliseconds since January 1, 1970. When the form in login.jsp is submitted, loginAction.jsp first compares the value from this field against the lastLogon field's value in the User database table. Only when the lastLogon value from the form is greater than the value in the database will it be considered a valid login.
i am just 2 weeks old in jsp /servlet
so can you explain it to me simply
From here (which you shouldn't have posted), I understand that you took the first two things fully.
What you are asking is the third scenario.
When does it happen?
You are already logged. You log out.
Once logged out, you press the back button n times till you reach the login page.
You refresh, most browsers pass in the earlier submitted form values and you get logged in.
How do we prevent the form submission being valid?
We are not trying to prevent form submission.
We are checking at server side (in the servlet/jsp) if the form submitted is the most recent form or the form that was generated early on itself. So we put a variable field.
You have a form with you which has the time field as in the article - meaning the value of that field is the time at which the jsp page loaded.
You login successfully, you logout and come back as mentioned above.
While logging in, the login checking script inserted into the database, this value that was obtained as last login time.
If you come back and try to refresh and send data as before, the form values are still the same. The login script checks if its larger than the last login time which has to be since its in milliseconds. If it was reached in any other way, it would have had a different time for the value, hence you are redirected with a session inactive message.
Thanks a lot for the quick reply..
Yes i can understand the concept fully now...i have one more silly question..i am sort of new to database,i am using mysql...could you tell me what type of datatype to store the time,it is told to use hidden field with a 'long' value... but i am just a bit confused about 'hidden field' ...
So i guess i have to put this checking code in every page to be secure ?
Shailendra Mishra wrote:Hi,
1. When successfully login put the login name into session.
2. In each jsp page get the value from session if you got “!= null” value then Ok
other wise forward to session out page.
3. When ever click logout link disable session value.
It might help you out.
This should work! It's something like this
In login JSP
In each page that should only be visible to logged in users (you can use an include)
It just do the check in the server side, to make sure an unauthorized user cannot request pages from server.
When back button is use, browser is fetching the data entirely from the browser cache.
Tania Sen wrote:i am sort of new to database,i am using mysql...could you tell me what type of datatype to store the time,it is told to use hidden field with a 'long' value...
I think a bigint in mysql would do the job. Haven't checked it out exactly
Tania Sen wrote:but i am just a bit confused about 'hidden field' ... So i guess i have to put this checking code in every page to be secure ?
I think you are talking about the time field that is a hidden one in the html. No, this is for validating the login only. So you have to put it in the login page only, nowhere else. This is because you are checking the time parameter only during login. What you are doing is when the person logs in you are putting in the login time to database. Later when he comes to the form he will get a new value. If in case, he comes to the login page pressing the back button, he will be getting the old time as the value. The login check script prevents him from logging in and it redirects to the login page (Now, you have the latest value and so he can login).
Tania Sen wrote:i have one more silly question..
Not at all!
lots of thanks thanks to dear Ayoma and Chinni...all of my login-logout problems are solved guys. your posts really solved my problems...this is exactly what i was looking for years.
now my login-logout mechanism is just like "Orkut".
you people are really genius. thanks a lot again.
here is my code
<a href="UserLogin_Index.jsp" id="logout" name="logout"> Logout
response.setDateHeader ("Expires", 0);
please revert back ASAP