Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to remove JSESSIONID cookie on session invalidation

 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am calling session.invalidate() in my web application but this does not remove the JSESSIONID cookie. So one of our customers has raised this as a security threat. They fear a scenario where a different user can do a back and refresh on same browser and use previous user's session.

So let me know of a way of invalidating the existing JSESSIONID cookie once session.invalidate has been called.
 
abhishek pendkay
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Once you invalidate the session , how can a user do a back and refresh and access the same ( already invalidated ) session..?? Even if the JSESSIONID is still present the session whose ID it is holding is already invalidated , so how can you get that session back
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess since we are using the same browser, it reuses the existing JSESSIONID.
 
abhishek pendkay
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My point is when you say session.invalidate() the session object is destroyed , so even if you use the same browser which will use the same JSESSIONID how will you be able to access an object( the session in this case ) after it has been destroyed..??
 
Bk Jacky
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Puneet,

I agree with abhishek.Please check your problem again.May be some other issue.
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I will try and put the problem differently:

I have a web application which presents a login page to the user.User enters his user id and password and is logged in. He then browses to another page and clicks Exit to logout. Logout also results in a call to session.invalidate. After this user again clicks on Back,Back and Reload button browser. he is again logged into the application without having to reenter the user id and password.

Any idea how I can avoid such a situation?
 
Ashok Kumar Babu
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After this user again clicks on Back,Back and Reload button browser. he is again logged into the application without having to reenter the user id and password.

Any idea how I can avoid such a situation?


Puneet,

How can he log in again with out entering username and his password?

Have a look this FAQ to avoid Browser Cache when the same URL is called agian.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13055
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
he is again logged into the application without having to reenter the user id and password.


No, it just looks like he is logged into the application. Any form submission from that old page will have the old JSESSIONID cookie attached. When your program attempts to retrieve that session, it will fail. It is up to you to provide the proper logic to detect this.

Bill
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bill,

There is no failure. I should tell that its a POST request that is getting fired when user does a RELOAD after hitting BACK. Also I did not understand your statement that it is upto us to handle it properly. Can you elaborate a little more on this please.

Regards,
Puneet
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13055
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the session was truly invalidated, your code that receives the POST request should not be able to retrieve the old session. Do you have any evidence that this is actually happening?

If you are using getSession() and it does return a session it should be a new one - see the isNew() method of HttpSession.

You should be using getSession( false ) which would return null if the old session has indeed been invalidated.

Bill
 
Puneet Agarwal
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bill,

I agree that the old session is not getting retrieved. But my problem is that using a combination of Back and Refresh I am able to login to the application without having to enter the credentials again. Where are the credentials being stored? Does the browser store them in a cookie? If yes, is there a way I can invalidate the cookie.
 
dhwani mathur
Ranch Hand
Posts: 621
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi puneet


This has been already discussed somewhere before.
see if it helps


Dhwani:>Winning is not important but it is the only thing.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic