• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session Invalidation and Timeout !

 
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys !!!
Due to security reasons it is required that in case the user is currently sitting idle for too long (say 5 min's) then the application "should automatically log the user out"
Secondly, i am also having problems destroying a session when the user clicks on the "logout" button.
Following is the way i have implemented :-
In the Controller Servlet i am making a check to see it the current Session is valid by invoking the method session.isRequestedSessionIdValid() and if it is not a valid session then the user should be redirected to the login page. However, i noticed after printing the session ID on each jsp that when the "logout" button is clicked and the user is directed to a "thank you" page then, on that page a different session id is being printed on the jsp page. Now, when the back button is pressed and any of the site links are clicked the user gets to have a look at all the site information as though he has'nt yet logged out.
How should these problems be solved ???
Pls Suggest
Thanks Guys !
 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Sam Furtado:
Hi Guys !!!
Due to security reasons it is required that in case the user is currently sitting idle for too long (say 5 min's) then the application "should automatically log the user out"


you should put a entry in the web.xml file like
<session-config><session-timeout>xxx</session-timeout></session-config>
xxx should be in minutes


Secondly, i am also having problems destroying a session when the user clicks on the "logout" button.
Following is the way i have implemented :-
In the Controller Servlet i am making a check to see it the current Session is valid by invoking the method session.isRequestedSessionIdValid() and if it is not a valid session then the user should be redirected to the login page. However, i noticed after printing the session ID on each jsp that when the "logout" button is clicked and the user is directed to a "thank you" page then, on that page a different session id is being printed on the jsp page. Now, when the back button is pressed and any of the site links are clicked the user gets to have a look at all the site information as though he has'nt yet logged out.
How should these problems be solved ???
Pls Suggest
Thanks Guys !


When the user click logout, you should explicitly invalidate the session by call session.invalidate()
 
Sam Furtado
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi! Bill
Thanks for your reply !
I have currently implemented it in the same fashion. I am aware that if the user's session has timed out then, the container would go ahead and destroy that session. However, at that point of time i would'nt want an internal site page to still be viewable to others. In other words, if the system is idle for some time then, an automatic redirection should take place. This would be very much similar to how windows 2000/NT based systems maintain system security wherein if the user has not used the system for a specified amount of time then, the system automatically logs off and goes into a sign in mode(normally ctrl-alt-del is pressed to specify user identification details).
Similarly, in the second problem wherein the user clicks the sign out button. In this case i am invoking the Controller Servlet which in turn is invoking a particular servlet which peforms the task of invalidating the current session. This is done by invoking session.invalidate(). Following which the user is forwaded to a "Thank You Page". As mentioned earlier to track sessions i am printing the session id on every page so, it is on this page too. The result of the session id printed on this page is a different session id which, is expected and right. However, when the user now clicks on the back button he is still able to view the complete site. Furthur, when the user clicks on any link now, what gets printed is the new session id. Also, since i have implemented this application using the MVC Pattern wherein every request is first sent to the Controller Servlet wherein, i am checking whether current session is valid by invoking the request.isRequestedSessionIdValid() and if not redirecting the user to the Login Page. However, this does'nt happen since, as in the above senario after invalidating a users sesion and redirecting the user to a thank you page a new session is now created which is now considered by the browser to be a valid session.
How should these problems be solved so as to have stronger site security implemented ???
Pls Suggest.
Thank You
 
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is just a shot in the dark, but have you tried redirecting the client using response.sendRedirect()? I don't know why the container isn't invalidating the session, but this would force a new request from the client, and may solve the problem (in a way that shouldn't be container specific).
Chris
 
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
use a hidden frame , set a global javascript variable counting time whenever there is an activity resetting the time counter.
whenever there is 5 min completed, call session invalidating jsp page.
from there .
hope it will help
 
Bill Wang
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, Sam,
I think for the first problem, prabhat's suggestion will be helpful. Since HTTP is stateless protocol, there is no way that the container knows about the browser unless there is a request coming from the browser.
For the second problem, you have to include some session checking page in your JSPs. It should be very simple through <%@ include %> tag.
For instance, <%@ include file="sessioncheck.jsp" %>
and the sessioncheck.jsp will look like the follwing:
<% if(session.isNew()){
//do something
}
else {//do something else} %>
Hope this help.
 
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In your Thank You page, try putting this scriptlet on the first line:
<%@ page session="false"%>
This way, you page will not create a new session.
Hope this helps!
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic