wood burning stoves 2.0*
The moose likes Servlets and the fly likes Setting session to true and then invalidating Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Setting session to true and then invalidating" Watch "Setting session to true and then invalidating" New topic
Author

Setting session to true and then invalidating

Moined Mogul
Ranch Hand

Joined: Jul 11, 2001
Posts: 33
I am still having the problem with the user using the back button and then hitting REFRESH and being able to get back to a secure page once they have logged out. I am thinking that the only solution now is to properly validate when the user logs on and then properly invalidate when the user logs out or leaves the page.
Could someone please give me some instruction on how to use the validate and invalidate and where I should use them? I have a login.jsp where the user inputs their username and password and I also have a secure.jsp which is where the validation of username and password is done and if logged in correctly they stay on this page....if not they are forwarded to another page.
Thank you!
Anoop Krishnan
Ranch Hand

Joined: May 03, 2001
Posts: 163
Hai Moined Mogul,
If the user logs in correctly do something like this in your login.jsp
session.setAttribute("LOGIN",new Boolean(true));
When the user logs out
session.removeAttribute("LOGIN");
Now check for the attribute LOGIN in your secure.jsp page
Boolean isLogin=(Boolean)session.getAttribute("LOGIN");
if(isLogin==null)
{
//kick out
}
else
{
//welcome
}

I just want to know is there any body call my bean's Getter and Setter methods with "Please" in front - My favorite quip from Bugzilla
Rehan Malik
Ranch Hand

Joined: Jul 09, 2001
Posts: 76
Here is the complete setup. I've tried this on my side and it works.
// login.jsp
<html>
<body>
<form method="post" action="/servlet/VerifyLogin">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Submit"> <input type="reset" value=" Cancel ">
</form>
</body>
</html>

// VerifyLogin.java
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class VerifyLogin extends HttpServlet
{
private HttpSession session;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
doPost(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
String username = request.getParameter("username").toString();
String password = request.getParameter("pass").toString();
session = request.getSession();
session.setAttribute("Logged", new Boolean(true));

if(username.equals("Username") &&
password.equals("Password"))
{
response.sendRedirect("/secure.jsp");
}
else
{
response.sendRedirect("/login.jsp");
}
}
}

// secure.jsp
<%
if(session.isNew() | | session.getAttribute("Logged") == null)
{
response.sendRedirect("/login.jsp");
}
%>
<html>
<body>
<a href="logout.jsp">Logout</a>
</body>
</html>
// logout.jsp
<%
session.invalidate();
response.sendRedirect("/login.jsp");
%>
This SHOULD work. If this doesn't work and the user is still able to refresh the "secure.jsp" page after logging out, then I'm not sure what to tell ya.
[This message has been edited by Rehan Malik (edited July 13, 2001).]


Rehan Malik
Jason Kilgrow
Ranch Hand

Joined: May 21, 2001
Posts: 47
I use a static class called LoginUtil that has static methods to check various items regarding login. One of the items is a boolean called isLoggedIn which gets set in a loginBean to true upon successful login.
Then, at the top of all of my jsp's, I use LoginUtil.isLoggedIn() to check if the session is properly logged in. If it's not, I can check other things (like if the session has timed out) and redirect the browser to the login page or an error page, etc. The key is to check the status of isLoggedIn at the top of every jsp. This way, if someone bookmarks a page, the login status is checked and the user is redirected to the appropriate page.
Originally posted by Moined Mogul:
I am still having the problem with the user using the back button and then hitting REFRESH and being able to get back to a secure page once they have logged out. I am thinking that the only solution now is to properly validate when the user logs on and then properly invalidate when the user logs out or leaves the page.
Could someone please give me some instruction on how to use the validate and invalidate and where I should use them? I have a login.jsp where the user inputs their username and password and I also have a secure.jsp which is where the validation of username and password is done and if logged in correctly they stay on this page....if not they are forwarded to another page.
Thank you!

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Setting session to true and then invalidating
 
Similar Threads
Logout page
Installing Websphere single server edition v4.0
How to take back the user to his personal page after a refresh
struts very important question to me?
controlling browsers back button