• Post Reply Bookmark Topic Watch Topic
  • New Topic

JSP login/logout session problem

 
Ramesh Sunkara
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi guys,

My problem is

1) I have login.jsp which takes a password. User is admin by default.

2) I stored the password in a notepad file and authenticated using it.

3) After i logged in i will get demo.jsp which has 3 frames.

4) In the header frame i provided an signout link. When i clicked it will go to login.jsp

5) Am struggling here.
a) After loggin out when i clicked back, its going to demo.jsp even though i invalidated the session.

b) By searching in the google i pasted this code in my jsp pages
<%
response.setHeader("Pragma","no-cache");
response.setHeader("Cache-Control","no-store");
response.setHeader("Expires","0");
response.setDateHeader("Expires",-1);
%>
This is working finein INTERNET EXPLORER but not in FIREFOX. And also i cant understand the code which i pasted. Can anyone please help to understand and get rod of my problem both in internet explorer and firefox.



Thank You,

Ramesh S

 
Chinna Eranna
Ranch Hand
Posts: 174
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another way could be to disable the back button.
(Not actually disable the button, but does not allow user to go to the previous page, even on clicking the back button).

http://csharpdotnetfreak.blogspot.com/2009/04/disable-browser-back-button-javascript.html

Shows ASP code.. but javascript could should be same.
 
Ramesh Sunkara
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi chinna
Thanks for your help

I actually do not want to disable back button...even if back button is clicked it shouldnt be able to redirect to demo.jsp.
The session should be expired.

Thank You
 
Chinna Eranna
Ranch Hand
Posts: 174
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
>> a) After loggin out when i clicked back, its going to demo.jsp even though i invalidated the session.

When login.jsp is being displayed after the session is invalidated (note.. here session is already expired), then if you disable the back button..

User will not be able to go to demo.jsp and You session is already expired.
 
Maximus Moothiringus
Ranch Hand
Posts: 46
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I dont know what if I say is correct. But if I remember correctly, I had worked around this problem some time back.

1. Doing

could work out pretty well in most cases.

2. In some cases, the session might be invalidated. But the page will still be rendered. I think I gave a session check at the top of every page.
Something like a code where the session is checked for a value (a value that will be inserted only if the login is valid and the session has not been invalidated), which if not present would say that the session is expired and redirect to the login page.
-edit- Can this be put in a jsp:include page??

3. The above would take care of most of the cases. The next problem comes with Firefox mostly I think (-edit- No, most of the browsers ). When you press the back button many times, you reach the login page where the browser asks if you should send the data again. Click yes and bang! You are back as a logged in user. Here you could edit the form to add a variable form value which changes everytime a user uses that page - we used the current time in milliseconds which is verified. This can be seen to check if the login page that is being used is current or not. If its reached by a back button, the form value will be the old one which can be checked with in the login script.

-edit-

Dont know if this is the link here. But this seems to explain the same things that I had read. Solving Logout Problem Properly and Effectively - Java World

-Edit- Do correct me if i am wrong somewhere. Also do point out if there is something wrong with this approach of solving the logout problem.I use this extensively in my PHP applications.
 
Ramesh Sunkara
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank You Max Moothiringodan

I didnt understand fully what you said.. Am just a beginner user. thanks for your help
 
Maximus Moothiringus
Ranch Hand
Posts: 46
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ramesh,

I seem to be not that good at explaining things to people. Wouldn't it be better if I leave everything to the person who did the explanation in Java World (Kevin H Le).

I would say I explained it in a mashed up way. So, to clear up, please read the article mentioned in the link.

One question about the same thing to everyone else. What if I include the code for session check using a jsp:include into the page? Will it still work and redirect?

And do shoot if you have any more questions?
 
Tania Sen
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Max,
I visited your link but i couldn't understand clearly the following
To fix this problem experienced in logoutSampleJSP2, logoutSampleJSP3's login.jsp should contain—in addition to the username and password—a hidden field called lastLogon that is dynamically initialized with a long value. This long value is obtained by calling System.currentTimeMillis() and denotes the current number of milliseconds since January 1, 1970. When the form in login.jsp is submitted, loginAction.jsp first compares the value from this field against the lastLogon field's value in the User database table. Only when the lastLogon value from the form is greater than the value in the database will it be considered a valid login.

i am just 2 weeks old in jsp /servlet
so can you explain it to me simply
 
Maximus Moothiringus
Ranch Hand
Posts: 46
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay. Lets put it like this.

From here (which you shouldn't have posted), I understand that you took the first two things fully.

What you are asking is the third scenario.

When does it happen?
You are already logged. You log out.
Once logged out, you press the back button n times till you reach the login page.
You refresh, most browsers pass in the earlier submitted form values and you get logged in.

How do we prevent the form submission being valid?
We are not trying to prevent form submission.
We are checking at server side (in the servlet/jsp) if the form submitted is the most recent form or the form that was generated early on itself. So we put a variable field.

More explanation:
You have a form with you which has the time field as in the article - meaning the value of that field is the time at which the jsp page loaded.
You login successfully, you logout and come back as mentioned above.
While logging in, the login checking script inserted into the database, this value that was obtained as last login time.
If you come back and try to refresh and send data as before, the form values are still the same. The login script checks if its larger than the last login time which has to be since its in milliseconds. If it was reached in any other way, it would have had a different time for the value, hence you are redirected with a session inactive message.
 
Tania Sen
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Max,
Thanks a lot for the quick reply..

Yes i can understand the concept fully now...i have one more silly question..i am sort of new to database,i am using mysql...could you tell me what type of datatype to store the time,it is told to use hidden field with a 'long' value... but i am just a bit confused about 'hidden field' ...

So i guess i have to put this checking code in every page to be secure ?
 
Shailendra Mishra
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
1. When successfully login put the login name into session.
2. In each jsp page get the value from session if you got “!= null” value then Ok
other wise forward to session out page.
3. When ever click logout link disable session value.

It might help you out.
 
Ayoma Wijethunga
Ranch Hand
Posts: 38
Firefox Browser IntelliJ IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shailendra Mishra wrote:Hi,
1. When successfully login put the login name into session.
2. In each jsp page get the value from session if you got “!= null” value then Ok
other wise forward to session out page.
3. When ever click logout link disable session value.

It might help you out.


This should work! It's something like this

In login JSP


In each page that should only be visible to logged in users (you can use an include)


In logout




Regards.

 
Ayoma Wijethunga
Ranch Hand
Posts: 38
Firefox Browser IntelliJ IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry guys! Above method is not going to work.

It just do the check in the server side, to make sure an unauthorized user cannot request pages from server.

When back button is use, browser is fetching the data entirely from the browser cache.
I tried using a JavaScrip, but even JavaScripts will not be executed because browser cache is something already rendered.



 
Ayoma Wijethunga
Ranch Hand
Posts: 38
Firefox Browser IntelliJ IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I double checked this issue:

Adding below lines to a JSP page will stop client side caching.

However it is worthless to add these lines in the login JSP or logout JSP. Make sure you add these lines to the pages, that you do not want to expose to unauthenticated users.



Regards
 
Maximus Moothiringus
Ranch Hand
Posts: 46
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tania Sen wrote:i am sort of new to database,i am using mysql...could you tell me what type of datatype to store the time,it is told to use hidden field with a 'long' value...

I think a bigint in mysql would do the job. Haven't checked it out exactly

Tania Sen wrote:but i am just a bit confused about 'hidden field' ... So i guess i have to put this checking code in every page to be secure ?

I think you are talking about the time field that is a hidden one in the html. No, this is for validating the login only. So you have to put it in the login page only, nowhere else. This is because you are checking the time parameter only during login. What you are doing is when the person logs in you are putting in the login time to database. Later when he comes to the form he will get a new value. If in case, he comes to the login page pressing the back button, he will be getting the old time as the value. The login check script prevents him from logging in and it redirects to the login page (Now, you have the latest value and so he can login).

Tania Sen wrote:i have one more silly question..

Not at all!
 
Tania Sen
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Thanks Max for all the help
Logout problem is now getting under control
 
sunny nagar
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey !!!
lots of thanks thanks to dear Ayoma and Chinni...all of my login-logout problems are solved guys. your posts really solved my problems...this is exactly what i was looking for years.
now my login-logout mechanism is just like "Orkut".
you people are really genius. thanks a lot again.
 
Rosu Thomas
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i need to set session value as null when i click on logout hyperlink......but my scriptlet code is get executing when page is loading.......... i need that to be executed only when the link is clicked.............
here is my code

<a href="UserLogin_Index.jsp" id="logout" name="logout"> Logout
<%
if(request.getParameter("logout")!=null)
{
response.setHeader("Cache-Control","no-cache");
response.setHeader("Pragma","no-cache");
response.setDateHeader ("Expires", 0);
session.setAttribute("userid",null);
}
%>
</a>

please revert back ASAP

thank you
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Code that is to be executed on a click either needs to be on the new page loaded by the click, or by intercepting the click with JavaScript.
 
Rosu Thomas
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes i did like that.....that is ok now.......but now the problem is when i click back button after logout, its loading from browser cache..my page is not loading.......i tried setting header but its not working .....please help me...........
 
Rosu Thomas
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you all...........logout problem solved.........thanks to coderanch
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!