• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

User can log in even after logout (invalidating session)

 
Stevie Shorey
Ranch Hand
Posts: 45
Android Chrome Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a system consisting of a LoginServlet and a LogoutServlet.
When i press a link to the LogoutServlet i run:



My loginServlet is using a jdbc database (which works successfully). Only problem is when user clicks logout from sample.jsp page, the logoutServlet runs =. But when the user returns to the login page again, the LoginServlet will accept ANY username and password and log this user back into the system.

I figured out this is because the request variables are persisting even after logout, so i tried this in the finally clause of my LoginServlet method, as i figured once you login, you dont need the username etc. any more:



This must be because I am assigning username and password directly from the request.getParameter("username") call at the beginning of my loginServlet. Can someone assist me to permanently logout a user? Thanks
 
Paul Clapham
Sheriff
Posts: 21554
33
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using just the existence of a session to determine whether a user is logged in? It's a lot easier to keep a variable in the session (like the user ID for example) to tell you that.

Then logging in consists of creating a session, if one doesn't already exist, and assigning the user ID to that session variable. Logging out consists of removing that session variable. You can try invalidating the session as well, but it isn't necessary.
 
Stevie Shorey
Ranch Hand
Posts: 45
Android Chrome Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:Are you using just the existence of a session to determine whether a user is logged in? It's a lot easier to keep a variable in the session (like the user ID for example) to tell you that.

Then logging in consists of creating a session, if one doesn't already exist, and assigning the user ID to that session variable. Logging out consists of removing that session variable. You can try invalidating the session as well, but it isn't necessary.


So if i get this right,
i need to create a session manually? at the start of the login logic?
If so would it be something like:

How does this address the issue of the request.getParameter() retrieving values from a previous logon. How do i clear them? Because that is how i get my username and password.

 
Devaka Cooray
Marshal
Pie
Posts: 4880
402
Chrome Eclipse IDE Google App Engine IntelliJ IDE jQuery Postgres Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stevie Shorey wrote:i need to create a session manually? at the start of the login logic?


That's not something even close to what Paul suggested. When you authenticate a user, you can simply add the username as a String, or an object of a user representation to the session. This could be something like session.setAttribute("user", user);. When you want to logout, simply remove that attribute from the session by calling session.removeAttribute("user");
 
Stevie Shorey
Ranch Hand
Posts: 45
Android Chrome Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Devaka Cooray wrote:
Stevie Shorey wrote:i need to create a session manually? at the start of the login logic?


That's not something even close to what Paul suggested. When you authenticate a user, you can simply add the username as a String, or an object of a user representation to the session. This could be something like session.setAttribute("user", user);. When you want to logout, simply remove that attribute from the session by calling session.removeAttribute("user");


Thanks for the explanation.

I tried it and the problem persists.
In my log-in servlet i put this:



In my logout servlet:

I click on the logout button: the message above is displayed but when i try to re-login, it will accept the any username/password combo.
 
Devaka Cooray
Marshal
Pie
Posts: 4880
402
Chrome Eclipse IDE Google App Engine IntelliJ IDE jQuery Postgres Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stevie Shorey wrote:

If "Rest of login logic" defines how you validate username and password, the above code structure says something like "First sign in the user no matter what username and password are entered, and only then check if the given username and passwords are valid". Got the point?

The use of this.userName is a bad practice as I suspect that the above method is declared in a servlet class, which means you defined userName to be an attribute variable of that servlet.
 
Stevie Shorey
Ranch Hand
Posts: 45
Android Chrome Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Devaka Cooray wrote:
Stevie Shorey wrote:

If "Rest of login logic" defines how you validate username and password, the above code structure says something like "First sign in the user no matter what username and password are entered, and only then check if the given username and passwords are valid". Got the point?

The use of this.userName is a bad practice as I suspect that the above method is declared in a servlet class, which means you defined userName to be an attribute variable of that servlet.


I salute thee, kind sir
I added the setAttribute() after the login logic, and also reset the attribute at the end of the method which has fixed it.

On your second point, is it the use of this that is considered bad practice or did you mean i should use a getter method? Thanks,
 
Devaka Cooray
Marshal
Pie
Posts: 4880
402
Chrome Eclipse IDE Google App Engine IntelliJ IDE jQuery Postgres Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stevie Shorey wrote:On your second point, is it the use of this that is considered bad practice or did you mean i should use a getter method? Thanks,

I just don't know where that tryLogin(-) method resides so I don't know what 'this' refers to. There is nothing wrong with using 'this' at all, but I suspect that you are storing an object of the user as an attribute (instance variable) of your servlet. A servlet gets instantiated only once in the lifetime of servlet context, so you should not store anything related to session data in a servlet. In simple words, if "this" is a servlet, "this.userName" is always same despite who the user is and where the request comes from.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic