• Post Reply Bookmark Topic Watch Topic
  • New Topic

session variable explanation  RSS feed

 
joe satriani
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am new to jsp's and servlets . I am trying out an example of login and logout . The flow is
home.jsp->login.jsp->welcome.jsp->logout.jsp
login.jsp just checks if the password entered and password in the database is right or wrong and redirects it to "welcome.jsp" or "error.jsp" according to the password validation .

But after logging out when i click the back button it sends me back to welcome.jsp and with all my credentials . I understand it's the browser's cache which is responsible for the behavior and i added extra headers to counter that problem which gave some success .

I am writing the following code to counter this problem
welcome.jsp



and in logout.jsp

All this code does is that when i click the back button is that it gives output as :
welcome null!
So it means that session variable is still not null .
So can somebody tell me that what is happening in the back side ? Even when i tried this code in logout.jsp , the test is coming out to be false :

So how is the session getting instantiated again and again ?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The session variable has nothing to do with it. The JSP creates a session when it needs it.

You should not be caring about whether the session exists or not, but be paying attention to what is in the session. Upon a login, you can put a token in the session and check for it. Upon logout, remove the token. invalidating the entire session for a logout is a very amateurish way to approach it.

In fact, you should likely not be creating your own security but using the container's security or at least a 3rd party package that's already been debugged.

 
joe satriani
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bear ,
Could you give me an example of third party security that you mentioned ?
Also i modified the code in the welcome.jsp like this

Will that be ok ?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, no, that's woefully inadequate. What happens if a user bookmarks yur page and doesn't go to the login page?

None of the security code should be in the JSP views (there should be NO code at all, none at all, in the JSPs) or even in the controllers. This should all be handled with filters.

AN example security package is Apache Shiro.

Is the container-managed security not sufficient for you needs? (It's usually not for me, but if you haven't checked, you don't know)
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!