• Post Reply Bookmark Topic Watch Topic
  • New Topic

Sessions in Servlets

 
rahul markonda
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

My lib project is almost completed.....Implemented it in servlets.......thanks for the advice
Now I need to use sessions......
because after log out ....if they press browser back button it is still taking them to their profile.........which is completely wrong
I used the jsp code
<script language="JavaScript">
javascript:window.history.forward(1);
</script>
to prevent browser back button from going back to log on page after logging in........
but as I told you before, after log out it is still going back to their profile.........
How should I use Http Session.......?
 
Ronald Castillo
Ranch Hand
Posts: 47
Java MySQL Database PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Try setting your profile page cache headers to an old date so when they try to go back, the page will have expired.
 
Ron Ingram
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you invalidating the session correctly upon logout? If so, are you correctly checking for valid sessions within your app throughout navigation in your JSPs?

I believe if both answers are "yes", then you will need to rely on javascript or browser settings.. the user will not be able to do anything because you click on something after hitting the back button on the browser, the server will throw an error and send the user to a designated page (Usually main login screen)
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This has nothing to do with sessions, but with caching.
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Rahul,

You can also add javascript:history.forward() in your logout page which will prevent the IE back button working.


-Sujata
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which is a trick no self-respecting web developer would use, and which is easily defeated, thereby offering no added security.
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Adding tricks on top of securities is . If someone reads carefully i wrote "you can also add........"

-Sujata
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. Using easily defeated tricks and pretending that they add security is just self-deception.
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ha ha...no one would pretend history.forward() adds security in the application!!

-Sujata
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then what is your point?
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
who had posted this query should have read the other two replies..

-> invalidating cache
-> invalidating session in logout

so i meant in addition to this you can also add......history.foreward()

hope its clear now

-Sujata
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it adds no extra security, I fail to see why anyone would add this. But to each...
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As you wrote/i agreed it does not add any security its just a trick to make the user hard to navigate back.

-Sujata
 
Paul Clapham
Sheriff
Posts: 21876
36
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just a feature which annoys the user but has no practical purpose, then?
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From my experience, there was a scenario

-> where the user submits a page lets say from SubmittingPage and click back button and can again submit but we wanted to avoid re-submit
-> we cant invalidate/expire the cache as SubmittingPage can be accesed from another page and should populate the previously keyed in values.

there might be some other ways to implement(may be using onr-time token) but we found implemneting history.forward is more convinient at that point of time.

in this case how can i say there is no practical purpose??

-Sujata.
 
Paul Clapham
Sheriff
Posts: 21876
36
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sure, I suppose there might be a few cases where it's necessary to prevent the user from going back (even though it's not actually possible to do that). But the vast majority of the time when people want to do that, it's because they haven't figured out the right way to prevent the actual problem. I'm in favour of fixing the actual problem rather than installing a cheap hack which doesn't work reliably.
 
Lalit Mehra
Ranch Hand
Posts: 384
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i agree with bear ...

you should check on the caching part though ...

and make sure you have invalidated the session upon logout ...

if so, and the user clicks the browser back button, then check for proper credentials before allowing the user to go back ... or otherwise just show an error page
 
Sujata Samal
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul - Could you please share your thought(s) how to resolve this kind of problem(other than one-time token).I will definitely rethink to implement your solution/a feasible solution !!


-Sujata.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!