How to properly invalidate JSP session?

The meta tags are not sufficient. You need to add them as fullworthy response headers. The webbrowser relies on them.

A Filter is helpful in this. Also, the Cache-Control header is incomplete (won't work as expected in Firefox, among others).

Up vote 1 down vote favorite share g+ share fb share tw.

So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a session attribute "isActive".

The attribute is set to true when the user logs in, and is (redundantly) removed right before the session is invalidated at logout. Also on every page I check if the attribute is present. I also specify that pages should not be cached in their head tags.

Despite this users are still able to hit back on the browser, and continue to use the site as if they never logged off. Any idea on how to fix this? Here is the code: Login Servlet: ... session.

SetAttribute("isActive", true); //Redirect to home page. Check Logged In JSP: Logout Servlet: request.getSession(). RemoveAttribute("isActive"); request.getSession().invalidate(); response.

SendRedirect("index. Jsp"); Inside Head Tag: Thanks security jsp session invalidate link|improve this question edited Oct 11 '10 at 0:07 asked Oct 10 '10 at 23:45Morglor6716 80% accept rate.

The meta tags are not sufficient. You need to add them as fullworthy response headers. The webbrowser relies on them.

A Filter is helpful in this. Also, the Cache-Control header is incomplete (won't work as expected in Firefox, among others). Implement this in the doFilter() method of a Filter which is mapped on an url-pattern of for example *.

Jsp (if you want to cover all JSP pages). HttpServletResponse res = (HttpServletResponse) response; res. SetHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. Res.

SetHeader("Pragma", "no-cache"); // HTTP 1.0. Res. SetDateHeader("Expires", 0); // Proxies.

Chain. DoFilter(request, response); This way the webbrowser will be forced to fire a real request on the server rather than displaying the page from the browser cache. Also, you should rather be using a Filter to check the presence of the logged-in user, not JSP/JSTL.

Related questions: Making sure a page is not cached, across all browsers Checking if an user is logged in Authenticating the user using filters.

Thanks, worked like a charm. – Morglor Oct 14 '10 at 23:21 You're welcome. Don't forget to mark the most helpful answer accepted.

See also stackoverflow.com/faq. – BalusC Oct 14 '10 at 23:24.

You shouldn't check if the session is still active on your destination page, it's better to check it with a Filter. If in the filter, request.getSession(). GetAttribute("isActive") returns something, then the user is still logged, and you simply chain; else you redirect on the login page.

For example : public class ActiveFilter implements Filter { public void init(FilterConfig filterConfig) } public void destroy() { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; if (req.getSession(). GetAttribute("isActive") == null){ res. SendRedirect("/index.

Jsp"); }else{ chain. DoFilter(request, response); } } } Resources : Sun.com - Filtering Requests and Responses.

Thanks, do you know how to make that work on every page except index. Jsp? It doesn't seem like the url-pattern tag in web.

Xml support regular expressions. – Morglor Oct 14 '10 at 23:20.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions