File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Setting session to true and then invalidating

 
Moined Mogul
Ranch Hand
Posts: 33
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am still having the problem with the user using the back button and then hitting REFRESH and being able to get back to a secure page once they have logged out. I am thinking that the only solution now is to properly validate when the user logs on and then properly invalidate when the user logs out or leaves the page.
Could someone please give me some instruction on how to use the validate and invalidate and where I should use them? I have a login.jsp where the user inputs their username and password and I also have a secure.jsp which is where the validation of username and password is done and if logged in correctly they stay on this page....if not they are forwarded to another page.
Thank you!
 
Anoop Krishnan
Ranch Hand
Posts: 163
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hai Moined Mogul,
If the user logs in correctly do something like this in your login.jsp
session.setAttribute("LOGIN",new Boolean(true));
When the user logs out
session.removeAttribute("LOGIN");
Now check for the attribute LOGIN in your secure.jsp page
Boolean isLogin=(Boolean)session.getAttribute("LOGIN");
if(isLogin==null)
{
//kick out
}
else
{
//welcome
}
 
Rehan Malik
Ranch Hand
Posts: 76
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is the complete setup. I've tried this on my side and it works.
// login.jsp
<html>
<body>
<form method="post" action="/servlet/VerifyLogin">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Submit"> <input type="reset" value=" Cancel ">
</form>
</body>
</html>

// VerifyLogin.java
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class VerifyLogin extends HttpServlet
{
private HttpSession session;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
doPost(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
String username = request.getParameter("username").toString();
String password = request.getParameter("pass").toString();
session = request.getSession();
session.setAttribute("Logged", new Boolean(true));

if(username.equals("Username") &&
password.equals("Password"))
{
response.sendRedirect("/secure.jsp");
}
else
{
response.sendRedirect("/login.jsp");
}
}
}

// secure.jsp
<%
if(session.isNew() | | session.getAttribute("Logged") == null)
{
response.sendRedirect("/login.jsp");
}
%>
<html>
<body>
<a href="logout.jsp">Logout</a>
</body>
</html>
// logout.jsp
<%
session.invalidate();
response.sendRedirect("/login.jsp");
%>
This SHOULD work. If this doesn't work and the user is still able to refresh the "secure.jsp" page after logging out, then I'm not sure what to tell ya.
[This message has been edited by Rehan Malik (edited July 13, 2001).]
 
Jason Kilgrow
Ranch Hand
Posts: 47
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I use a static class called LoginUtil that has static methods to check various items regarding login. One of the items is a boolean called isLoggedIn which gets set in a loginBean to true upon successful login.
Then, at the top of all of my jsp's, I use LoginUtil.isLoggedIn() to check if the session is properly logged in. If it's not, I can check other things (like if the session has timed out) and redirect the browser to the login page or an error page, etc. The key is to check the status of isLoggedIn at the top of every jsp. This way, if someone bookmarks a page, the login status is checked and the user is redirected to the appropriate page.
Originally posted by Moined Mogul:
I am still having the problem with the user using the back button and then hitting REFRESH and being able to get back to a secure page once they have logged out. I am thinking that the only solution now is to properly validate when the user logs on and then properly invalidate when the user logs out or leaves the page.
Could someone please give me some instruction on how to use the validate and invalidate and where I should use them? I have a login.jsp where the user inputs their username and password and I also have a secure.jsp which is where the validation of username and password is done and if logged in correctly they stay on this page....if not they are forwarded to another page.
Thank you!

 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic