• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Log Out Problems

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I had done a log out which says session.invalidate() for my servlets.

But I realise by pressing back button to my loginServlet and refreshing it actually get relogin again! It seems like the ID and password exist "somewhere" which had enable the loginServlet to get it's parameter and relogin.

How do I prevent users from pressing backspace then pressing refresh to get another login session after he had just log out? I have been reading up filters, can anyone tell me can filters do the job? Actually what's the problem here I been stuck here for a long long time!!!
 
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Johnny,

Ideally you should check for a valid session on top of any page that your user can go into your website. Usually people include a startup file on top of any JSP and that startup JSP page checks for a valid session and redirects it when not found.

If you are using servlets, then you should use a ServletFilter. This ServletFilter is usually mapped to url (like servlet path mapping).
In the doFilter() API call implementation for this filter, you can check for the existence of the user session, if it is not there, then redirect the user to login page.

If it is there, then the filter would take care of forwarding it to the requested resource when you call chain.doFilter()..

Also, make sure that the session object being checked is removed from session scope when the user logs out.
 
Johnny Lee
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hmmm... but what if another user(registered and legal user) wants to log in, he does not have a valid session yet and because the filter will check for a valid session when he is logging in(and he doesn't have one yet), won't that send him straight away to an error login page?
 
Celina Paul
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Usually the url path your filter is mapped to, the login page is kept out of it. For example, all the important resources are in a folder say "secured"
So every user could go to the login page without the filter being invoked.
Once when he enters the login information and clicks submit, it goes to a servlet which is still outside the "secured" mapped url for filter.

Usually, in a pattern like mvc, it goes to the controller servlet which then creates a valid session for the user. After the valid session is created, then the request is forwarded to a resource which lies in the "secured" path and the filter is invoked which checks for the validity of the session.
 
Johnny Lee
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Celina Paul,

I got what you mean and my logout is fine now.

Thank you
reply
    Bookmark Topic Watch Topic
  • New Topic