session invalidate Pro

Khanjan · Mar 18, 2004

I have a JSP application which uses Session to store session values. I am having problem
invalidating the session. After logout i am able to access the application by clicking the browsers
back button and refreshing the page.

I use this code in Logout.jsp

<%if(session!=null)
{

session.invalidate();
}
%>response.sendRedirect(loginpage.html)

Can anybody explain what's wrong here?

byam · Mar 20, 2004

This may explains your situtation:

http://www.mail-archive.com/struts-user@jakarta.apache.org/msg14719.html

Khanjan · Mar 21, 2004

Hi,

Isnt there any other way than using saveToken() and struts..?

byam · Mar 21, 2004

If not using Struts, you can apply the same token idea. Use session ID as token and put that as a hidden field in the login form page. In the login process, if the token value is not the same as current session ID, then it is not a valid login.

In your logout page, you put

Code:

<%@ page session="false"%>

In your login page, within the login form:

Code:

<form ....>
<input type="hidden" name="sessionId" value="<%= session.getId() %>"/>

...

</form>

Then in the JSP or serlvet that process login:

Code:

<%
    String loginPageSessionId = request.getParameter("sessionId");

    if (loginPageSessionId==null 
        || !loginPageSessionId.equals(session.getId())) {
        // this is a login page refresh after logout
        response.sendRedirect("login.jsp");
        return;
    }
%>

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

session invalidate Pro

Khanjan

Programmer

byam

Programmer

Khanjan

Programmer

byam

Programmer

Similar threads

Part and Inventory Search

Sponsor