• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Killing a session in a servlet!!

 
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I will sumarise my problem here for your reference.
I am having a delete order page showing number of orders.
This page is having code which checks whether the session has a object
called admin. If this object is present in session then only the further
orders are shown othewise we forward the user to the login page.
On clicking logout link we call
session.invalidate();
Also we are explicitly removing admin object from the session by calling
session.removeAttribute("admin");
Now I take following steps.
1. Login
2. go on delete orders page.
3. logout from the system.
4. click the browsers back button to go back to the delete orders page.
5. Try deleting some orders.
Ideally since the admin has logged out, he should be forwarded to the
login page but this is not happening. It is allowing the orders to be
deleted.
On the other hand I could not understand the reason why simply
session.invalidate() wont work ?Is there any misunderstanding about the
way session.invalidate() works. Please help out.
Thanks in advance
Sachin
 
Ranch Hand
Posts: 645
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sachin,
If I got your words,this is what you are doing...
1) before displaying orders in delete orderpage,you check for admin role in session.
--This means if admin role is found,orders are displayed,and they can be deleted.Hence if you click back button as the page is cuming from cache there is no session check and all orders are visible n can be deleted.
So I would suggest check for adming role when delete button is processed.
2) If I m wrong in 1st point i.e you have check on delete button,then what is first statement int your logout page,session.invalidate or session.remove.....??
I guess session.remove.... must preceed session.invalidate();
Hope this gives you some help
Cheers
Praful
 
sachin pathak
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am removing the object from the session before I am invalidating it.
I am using a value object of type Member stored in the session. Member class has a method called isAdmin which decides whether the user is admin or not ! We are also checking the validity of the user in actual delete action code. But the main problem is in spite of invalidating the session, the admin object can be retrieved from the session. This is a real pain in wrong place.
I searched the web for the problem and it seems that this problem is prevailent all over the world but no body has suggested a solution and also nobody is knowing why this issue occures.
I am pasting some links below to give the gravity of the problem. Javaranch itself has discussed the problem in past quite a few times but no body is sure why this happens. Please visit
Click Here for link 1
If anybody knows the issue please help.
Thanks in advance
Sachin
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic