• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

session variable explanation

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am new to jsp's and servlets . I am trying out an example of login and logout . The flow is
home.jsp->login.jsp->welcome.jsp->logout.jsp
login.jsp just checks if the password entered and password in the database is right or wrong and redirects it to "welcome.jsp" or "error.jsp" according to the password validation .

But after logging out when i click the back button it sends me back to welcome.jsp and with all my credentials . I understand it's the browser's cache which is responsible for the behavior and i added extra headers to counter that problem which gave some success .

I am writing the following code to counter this problem
welcome.jsp



and in logout.jsp

All this code does is that when i click the back button is that it gives output as :
welcome null!
So it means that session variable is still not null .
So can somebody tell me that what is happening in the back side ? Even when i tried this code in logout.jsp , the test is coming out to be false :

So how is the session getting instantiated again and again ?
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The session variable has nothing to do with it. The JSP creates a session when it needs it.

You should not be caring about whether the session exists or not, but be paying attention to what is in the session. Upon a login, you can put a token in the session and check for it. Upon logout, remove the token. invalidating the entire session for a logout is a very amateurish way to approach it.

In fact, you should likely not be creating your own security but using the container's security or at least a 3rd party package that's already been debugged.

 
joe satriani
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Bear ,
Could you give me an example of third party security that you mentioned ?
Also i modified the code in the welcome.jsp like this

Will that be ok ?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, no, that's woefully inadequate. What happens if a user bookmarks yur page and doesn't go to the login page?

None of the security code should be in the JSP views (there should be NO code at all, none at all, in the JSPs) or even in the controllers. This should all be handled with filters.

AN example security package is Apache Shiro.

Is the container-managed security not sufficient for you needs? (It's usually not for me, but if you haven't checked, you don't know)
 
Do you want ants? Because that's how you get ants. And a tiny ads:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic