File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Killing a session in a servlet!! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Killing a session in a servlet!!" Watch "Killing a session in a servlet!!" New topic

Killing a session in a servlet!!

Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
In my logoff servlet,i have used session.invalidate().
but still if i click back button of the browser after logging out ,it again takes me to the previous page.and allows me to manipulate that page.actually it should not allow me to manipulate.
Can anyone please help me regarding this.
maha anna
Ranch Hand

Joined: Jan 31, 2000
Posts: 1467
I used a technique for proper authendication of users for a web application. Basically the logic I used is this.
1. In the servlet first check if the Session object exists.
2. If exists check in the session there is a <i>special session object</i>. This special object (here 'UserView' )was already put by our application when a user properly logs into the system.
Basically if a user properly logs in, we create a viewbean object with members loginID, and password and put into memory (put in session with a name like 'userView', so that we can properly check back for the view bean object in session with the nameTag, latter,in any servlet ). This CREATING NEW SESSION and putting a viewBean in session are done in the LoginServlet.
// sample code

3. If that special session object exists, give a GO-AHEAD. Further processiog in the servlet.

4. If not redirect the user to login page/ or a 'notLoggedIn.html' page, and ask the user to PROPERLY LOGIN to the system. I use 'forward' instead of 'redirect' API since this redirect doesn't work properly.

I have given you an idea of how I have done. I have written an authendication servlet and put it online in the wYou can check it online in
Try the following test cases in Maha's web applicaion in the mentioned link
I have 2 users in the database.
1. loginId : 1000
password: maha
2. loginId :1001
password :anna

Test case 1 :
Login as 1000 with password maha
Try to login again
Test case 2 :
Login as 1001 with password anna
Try logout again
Test case 3 :
Try logout WITOUT logged in first
Basically this system DOESNOT allow the user into the system without properly logged in. I used 2 servlets,some viewbeans,JDBC-MYSQL database,2 JSP pages, 2 html pages. and the MVC (Model-View-Control) Design pattern.
If you further need help I can send you the full source code in Zip file to you.
maha anna

[This message has been edited by maha anna (edited October 04, 2000).]
Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
I got the same question too. I don't quite get your reply. Could you please mail the source code to so that I can try it out on my machine? Thanks!
Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
Hi maha anna,
thank u very much for ur kind advice.
can u send me the source code.
mohan paladi

Joined: Dec 13, 2006
Posts: 8

hello maha anna,
I am alos working for a similar kind of project where i need
to kill or invalidate a session variable aat the logout page.
Do please mail me the source code at,
regards and thanks in advance
- mohan
Beksy Kurian
Ranch Hand

Joined: Jul 11, 2001
Posts: 254
Would you please email me the source code for logout session tracking. Thanks
Subbu Aswathanarayan
Ranch Hand

Joined: Jun 22, 2001
Posts: 73
Hi Maha,
I have done the session tracking part and it works fine.but i have a basic it goes
lets assume i write a complete web app.this app has 3 servlets and 4 jsp
docs.once the user logs in, the 1st servlet puts a session id in to this
session.the other servlets and jsp pages check for this id before they
process any user request.
my question is:if two users login at the same time then the servlet will
put two separate ids for both the my doubt is, when the rest of
the servlets and jsp docs try to retrieve the id, how will they
know which id is their's.will they not get confused?for my app if this
happens(i mean one user reading another users id) it will be disastrous.
please clear my doubt.
Thanks in advance.

I agree. Here's the link:
subject: Killing a session in a servlet!!
It's not a secret anymore!