This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I had done a log out which says session.invalidate() for my servlets.
But I realise by pressing back button to my loginServlet and refreshing it actually get relogin again! It seems like the ID and password exist "somewhere" which had enable the loginServlet to get it's parameter and relogin.
How do I prevent users from pressing backspace then pressing refresh to get another login session after he had just log out? I have been reading up filters, can anyone tell me can filters do the job? Actually what's the problem here I been stuck here for a long long time!!!
Ideally you should check for a valid session on top of any page that your user can go into your website. Usually people include a startup file on top of any JSP and that startup JSP page checks for a valid session and redirects it when not found.
If you are using servlets, then you should use a ServletFilter. This ServletFilter is usually mapped to url (like servlet path mapping). In the doFilter() API call implementation for this filter, you can check for the existence of the user session, if it is not there, then redirect the user to login page.
If it is there, then the filter would take care of forwarding it to the requested resource when you call chain.doFilter()..
Also, make sure that the session object being checked is removed from session scope when the user logs out.
Joined: Jul 15, 2004
hmmm... but what if another user(registered and legal user) wants to log in, he does not have a valid session yet and because the filter will check for a valid session when he is logging in(and he doesn't have one yet), won't that send him straight away to an error login page?
Joined: Nov 01, 2003
Usually the url path your filter is mapped to, the login page is kept out of it. For example, all the important resources are in a folder say "secured" So every user could go to the login page without the filter being invoked. Once when he enters the login information and clicks submit, it goes to a servlet which is still outside the "secured" mapped url for filter.
Usually, in a pattern like mvc, it goes to the controller servlet which then creates a valid session for the user. After the valid session is created, then the request is forwarded to a resource which lies in the "secured" path and the filter is invoked which checks for the validity of the session.