• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to end session in my code?  RSS feed

 
Lester Carmelotes
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guys,

I am newbie in Java Servlet. I start working on Login/Logout application. My Problem is that when I successfully login it will go to welcome page and try to logout then when I press the Back button at the browser, it will back to welcome page which shouldn't be.

How to fix this?


Please I need help.

Here's my code:
-Login.java


-Logout


-Validate


-Welcome


-index.html


-web.xml


Thanks Guys,
 
Devaka Cooray
Marshal
Posts: 5516
687
Chrome Eclipse IDE Google App Engine IntelliJ IDE jQuery Postgres Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your code doesn't use sessions. It simply dispatches to a page if the credentials are correct. The correct way would be as this:

1. Check if username/password are correct.
2. Create a session
3. Add a User object as a session attribute.
4. Redirect user to your protected page.

5. Requests to the prrotected page should be intercepted from a filter or a front controller, where you can deny dispatching to the protected template if the expected session attribute is not found.
6. To log out, call session.invalidate() or remove the session attribute.

To further protect your page with back button, add cache control headers to the pages you want to protect.

Read these articles: NoCacheHeaders and PostRedirectGet.

 
mak pandian
Ranch Hand
Posts: 30
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Lester Carmelotes,

To be honest, I did not take a look at your code. Nevertheless, based on your problem description, I would suggest you to take a look at http://answers.google.com/answers/threadview/id/574062.html

You do not need to do anything in your servlet but in JSP just add the following code.



Hope you know where to add the code in your JSP?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66149
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's a hack that provides no security whatsoever. Script in the browser is easy to defeat. The answer is to properly uses sessions, and to make sure that the headers are set so as not to cache the pages,
 
Lester Carmelotes
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply guys, Very much appreciated.

I have found this code:



My problem is how can I change this code:



to this code:



I tried this one but won't worked. Sorry guys I am newbie and still learn this Java Servlet.



Any suggestion?

thanks guys!
 
Om Prakash Bijawat
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I dont think that the code for fetching user details from a database should be written in init() method.As init method called once only in the servlet life cycle and if , in case, the user details like password will be updated from backend using query or from any updation form, then in that case the users Map object will always contain a old user information i.e password.

So it's better to write your code of fetching user details from a database in a execute method.
 
Rajesh Vassey
Greenhorn
Posts: 8
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The problem which you are getting is called double posting problem.
There are many approaches in coding world one approach is below

Using a server side and client side key that changes with each post. It works like this:
Generate a unique (random) key on the server and place it in the session and also in a hidden field.
When the user posts back the first time compare the key in the hidden field to the key in the session, and, if they match, accept the input and then change or remove the key from the session and update the hidden field as well.
If the user manages to click submit twice the second post will fail because the hidden field in the HTML will no longer match the session variable until the page has been refreshed.

Also the code which you posted is not the standard of doing this authentication.
Please follow what Devaka Cooray has suggested in his post.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!