session.invalidate() not working

[Eli20]

Hi, i have a web application, im using Tomcat 4.1 as a web server and jsp and servlets to biuld the application.
I use BASIC authentication to validate the users that can login, and i have a logout jsp page, where i invalidate the session in a scriplet like this:

<% session.invalidate() %>

and then there is a link to the main page (the one where the user has not logged in), but once in the main page instead of asking for the username and password again to enter a restricted resource, it lets it in, keeping the same user as before.

does anybody know what am i doing wrong??

i define all the authentication thing in my web.xml file like this:

<security-constraint> 
		<web-resource-collection>
			<web-resource-name> Test</web-resource-name>
			<url-pattern> /jsp/firstPage.jsp </url-pattern>
			
			<http-method> GET </http-method>
			<http-method> POST </http-method>
		</web-resource-collection>
	
		<auth-constraint> 
			<role-name> userallowed </role-name>
		</auth-constraint>
</security-constraint>

<login-config>
		<auth-method> BASIC </auth-method>
		<realm-name>  appcontext </realm-name>
</login-config>

if you need more information please let me know.. and i hope someone can give me an answer

thank you very much

Eli

 

[dennisGuru]

You should take a look at the cache settings of your browser.

Or put the following in the header of your jsp pages.

<!-- doesn't work with IE -->
<META HTTP-EQUIV=&quot;Pragma&quot; CONTENT=&quot;no-cache&quot;>
<!-- doesn't work with Navigator -->
<META HTTP-EQUIV=&quot;expires&quot; CONTENT=&quot;0&quot;>
<META HTTP-EQUIV=&quot;Cache-Control&quot; CONTENT=&quot;no cache&quot;>

 

[Eli20]

i tried it, but it didnt work.. i put that code on the top of my jsp pages... but i got the same problem.

Any other ideaS? can it be a tomcat problem?

Eli

 

[dennisGuru]

I don't think it is a tomcat problem.

You also have no ; after session.invalidate, but this is not the case in your code. I assume.

You could check if the invalidate is executed. Maybe some printlines around it.

In what way do you check on your jsp pages if a user is logged in? Do you put a username in the session and check if that is in it? Or do you check if there is a session?

Dennis.

 

[Eli20]

i dont check, i thought that was the point of using the tomcat authorization methods, that it does all that kind of work..

anyways, how can i do it? check if there is a session in every jsp of my app?? and if there is not.. how do i call the basic authorzation again?? im a bit messed up.. .

thank you very much

Eli

 

[dennisGuru]

Here is the way I use it:

First in the jsp pages I have the no caching stuff.

When you login I use a form to activate the servlet. When you login the servlet checks if the user is in the database. If so, I have a bean that &quot;knows&quot; that a user is logged in. This bean is always in the session and you can use it with the <jsp:useBean id=&quot;loginBean&quot; class=&quot;package.LoginBean&quot; scope=&quot;session&quot; />.

You have to add some if-statements to the jsp pages:
if(user.loggedIn()) {
//show this
}
else {
//show that
}

After you log out, redirect the user to the main page (index) so everything should be allright.

I hope this helps.
Dennis.

 

[Eli20]

yes, i understand what You do, but then you are not using tomcat authentication, you are doing all the logic yourself..

i had it that way, but i was told using the security constraint and the login method would increase my application security..

Anyways, ill keep looking, because i cannt belive its not working.. thank you very much!!

Eli

 

[dennisGuru]

I just thought of something. Try deleting the contents of your work directory. Sometimes jsp pages are not reloaded/recompiled correctly.

Dennis.

 

[maram99]

Hi Eli20,

I am facing the same problem now. Can you please let me know if u found a way for overcoming this issue.

Thanks in advance,
maram

 

[Eli20]

mm i couldnt solve the problem i simply closed the browser using a java script when the user logged off.. i know its not a solution, but it worked for me.

please let me know if you find a way to invalidate the session.

Eli