This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes Logout page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Logout page" Watch "Logout page" New topic
Author

Logout page

Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
I have created a JSP page that takes the username and password of the user and if correct will forward them on to the appropriate JSP with admin rights to my database.
I am wondering now what would be the simplest method of implementing a logout so that when the user logged out they could not use the browser back button to go back to the admin page. I have added already the code to keep the browser from caching any of the pages so I think it is only a matter of validating and invalidating the session in the right places.
Could someone please give me an example of how to properly use the session validate and invalidate to keep the users of my web app to be able to use the back button and then do a refresh to get back to the admin page?
Thank you!!!
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Originally posted by Moined Mogul:
I have created a JSP page that takes the username and password of the user and if correct will forward them on to the appropriate JSP with admin rights to my database.
I am wondering now what would be the simplest method of implementing a logout so that when the user logged out they could not use the browser back button to go back to the admin page. I have added already the code to keep the browser from caching any of the pages so I think it is only a matter of validating and invalidating the session in the right places.
Could someone please give me an example of how to properly use the session validate and invalidate to keep the users of my web app to be able to use the back button and then do a refresh to get back to the admin page?
Thank you!!!


First thing that you should do is when the users are logging in, set an attribute.
session.setAttribute("logged", "1") OR add this code on the top of the JSP pages
<%
if(session.isNew())
{
response.redirect("PleaseLogin.jsp");
}
%>
When logging out, add this line:
session.invalidate();
Also, on all of your pages, add the HTML codes for non-caching in the browser. It only works correctly if HTTP 1.1 is activated I believe. But either way, if the viewer tried to click on any links on ur pages, the code above "session.isNew()" will forward them to another page, therefore, protecting any changes.

Rehan Malik
Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
So should I add this code:
<%
if(session.isNew())
{
response.redirect("PleaseLogin.jsp");
}
%>

to both my login.jsp and my admin.jsp???
And then just invalidate the session in my logout.jsp???
That is it???
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Originally posted by Moined Mogul:
So should I add this code:
<%
if(session.isNew())
{
response.redirect("PleaseLogin.jsp");
}
%>
to both my login.jsp and my admin.jsp???
And then just invalidate the session in my logout.jsp???
That is it???

Well...close. You don't want to add that code to your "login.jsp" page if that's where the user will be adding the information. I'm guessing that the redirect should be as follows:
response.sendRedirect("login.jsp");
DO NOT add the check to see if the session is new on the login page or else you might end up in an infinite loop.
If you only have one page that needs the protection, add the code to JUST the admin.jsp page.
You also have to add the HTML headers in order to prevent caching and to expire the content as well.
I BELIEVE that the code in JSP for the headers is as follows:
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("max-age", 0);
response.setDateHeader("Expires", 0);
%>
This MAY not work since I've had reported problems of not being able to get this to work. This works with HTTP 1.1 protocols from what I remember.
The person may still be able to go to the admin page by hitting return BUT they won't be able to change the content.

Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
I got this error when I added the code you suggested to my JSP pages.
Compiling failed
.\home\WEB-INF\temp\admin_jsp.java:78: Method redirect(java.lang.String) not found in interface javax.servlet.http.HttpServletResponse.
response.redirect("adminlogin.jsp");
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
WOOPS! Sorry
I meant this:
response.sendRedirect("login.jsp");
Originally posted by Moined Mogul:
I got this error when I added the code you suggested to my JSP pages.
Compiling failed
.\home\WEB-INF\temp\admin_jsp.java:78: Method redirect(java.lang.String) not found in interface javax.servlet.http.HttpServletResponse.
response.redirect("adminlogin.jsp");

Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
That is what you had quoted before....I am not getting the error now but can still get back to that page if I hit the back button and then do a refresh of the page???
Please help???
Thank you.
Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
The adminlogin is the actual name of my login.jsp file
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Originally posted by Moined Mogul:
That is what you had quoted before....I am not getting the error now but can still get back to that page if I hit the back button and then do a refresh of the page???
Please help???
Thank you.

Hmm - I wonder if there's a header where you have to set the content type and the HTTP Protocol to use. I don't have the book on me which has the list of all the headers on me but let me look around real quick here at work.

----------------------------------------
okay try this:
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
if (request.getProtocol().equals("HTTP/1.1"))
{
response.setHeader("Cache-Control", "no-cache");
}
%>
(I'm running out of ideas =)

[This message has been edited by Rehan Malik (edited July 11, 2001).]
Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
Thank you so much for your help...I would really appreciate it if you could look...thank you...
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Originally posted by Moined Mogul:
Thank you so much for your help...I would really appreciate it if you could look...thank you...


okay try this:
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
if (request.getProtocol().equals("HTTP/1.1"))
{
response.setHeader("Cache-Control", "no-cache");
}
%>
I'm running out of ideas =)
Jump in anybody if you're reading this as well =)
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Originally posted by Rehan Malik:

okay try this:
<%
response.setDateHeader("Expires", 0);
response.setHeader("Pragma", "no-cache");
if (request.getProtocol().equals("HTTP/1.1"))
{
response.setHeader("Cache-Control", "no-cache");
}
%>
I'm running out of ideas =)
Jump in anybody if you're reading this as well =)


IF that doesn't work, try this:
response.setIntHeader("max-age", 0); //IE only;
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.addHeader("Cache-Control","no-store");
response.setHeader("Pragma", "no-cache"); //HTTP 1.0
response.setIntHeader ("Expires", -1); //prevents caching at the proxy server
response.addHeader("cache-Control", "private"); //IE5.x only;
(Source - Sun's JSP Forum - Posted by sunnyliu)
I'm giving the author the credit, HOPEFULLY, he knows this code works.

Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Originally posted by Moined Mogul:
I have created a JSP page that takes the username and password of the user and if correct will forward them on to the appropriate JSP with admin rights to my database.
I am wondering now what would be the simplest method of implementing a logout so that when the user logged out they could not use the browser back button to go back to the admin page. I have added already the code to keep the browser from caching any of the pages so I think it is only a matter of validating and invalidating the session in the right places.
Could someone please give me an example of how to properly use the session validate and invalidate to keep the users of my web app to be able to use the back button and then do a refresh to get back to the admin page?
Thank you!!!

Well according to the lists that I've seen, the codes for setting the headers *should* work. As far as your original question about invalidating the session, if the user tries to refresh the page after you logout, they will be sent to the login page.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Logout page
 
Similar Threads
Sessions in Servlets
PROBLEM IN SESSION,
Logoff problem
Session Problem
Problem in Sessions