This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to remove JSESSIONID cookie on session invalidation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to remove JSESSIONID cookie on session invalidation" Watch "How to remove JSESSIONID cookie on session invalidation" New topic
Author

How to remove JSESSIONID cookie on session invalidation

Puneet Agarwal
Ranch Hand

Joined: Jul 15, 2003
Posts: 49
Hi,

I am calling session.invalidate() in my web application but this does not remove the JSESSIONID cookie. So one of our customers has raised this as a security threat. They fear a scenario where a different user can do a back and refresh on same browser and use previous user's session.

So let me know of a way of invalidating the existing JSESSIONID cookie once session.invalidate has been called.
abhishek pendkay
Ranch Hand

Joined: Jan 01, 2007
Posts: 184
Once you invalidate the session , how can a user do a back and refresh and access the same ( already invalidated ) session..?? Even if the JSESSIONID is still present the session whose ID it is holding is already invalidated , so how can you get that session back


The significant problems we face cannot be solved by the same level of thinking which created them – Einstein
SCJP 1.5, SCWCD, SCBCD in the making
Puneet Agarwal
Ranch Hand

Joined: Jul 15, 2003
Posts: 49
I guess since we are using the same browser, it reuses the existing JSESSIONID.
abhishek pendkay
Ranch Hand

Joined: Jan 01, 2007
Posts: 184
My point is when you say session.invalidate() the session object is destroyed , so even if you use the same browser which will use the same JSESSIONID how will you be able to access an object( the session in this case ) after it has been destroyed..??
Bk Jacky
Ranch Hand

Joined: Jun 11, 2005
Posts: 74
Puneet,

I agree with abhishek.Please check your problem again.May be some other issue.


SCJP1.4<br />SCWCD1.5<br />"Nothing is impossible"
Puneet Agarwal
Ranch Hand

Joined: Jul 15, 2003
Posts: 49
I will try and put the problem differently:

I have a web application which presents a login page to the user.User enters his user id and password and is logged in. He then browses to another page and clicks Exit to logout. Logout also results in a call to session.invalidate. After this user again clicks on Back,Back and Reload button browser. he is again logged into the application without having to reenter the user id and password.

Any idea how I can avoid such a situation?
Ashok Kumar Babu
Ranch Hand

Joined: Jul 25, 2006
Posts: 129
After this user again clicks on Back,Back and Reload button browser. he is again logged into the application without having to reenter the user id and password.

Any idea how I can avoid such a situation?


Puneet,

How can he log in again with out entering username and his password?

Have a look this FAQ to avoid Browser Cache when the same URL is called agian.


Ashok<br /> <br />SCJP 91%<br />SCWCD 88%
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
he is again logged into the application without having to reenter the user id and password.


No, it just looks like he is logged into the application. Any form submission from that old page will have the old JSESSIONID cookie attached. When your program attempts to retrieve that session, it will fail. It is up to you to provide the proper logic to detect this.

Bill
Puneet Agarwal
Ranch Hand

Joined: Jul 15, 2003
Posts: 49
Bill,

There is no failure. I should tell that its a POST request that is getting fired when user does a RELOAD after hitting BACK. Also I did not understand your statement that it is upto us to handle it properly. Can you elaborate a little more on this please.

Regards,
Puneet
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
If the session was truly invalidated, your code that receives the POST request should not be able to retrieve the old session. Do you have any evidence that this is actually happening?

If you are using getSession() and it does return a session it should be a new one - see the isNew() method of HttpSession.

You should be using getSession( false ) which would return null if the old session has indeed been invalidated.

Bill
Puneet Agarwal
Ranch Hand

Joined: Jul 15, 2003
Posts: 49
Bill,

I agree that the old session is not getting retrieved. But my problem is that using a combination of Back and Refresh I am able to login to the application without having to enter the credentials again. Where are the credentials being stored? Does the browser store them in a cookie? If yes, is there a way I can invalidate the cookie.
dhwani mathur
Ranch Hand

Joined: May 08, 2007
Posts: 621
Hi puneet


This has been already discussed somewhere before.
see if it helps


Dhwani:>Winning is not important but it is the only thing.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to remove JSESSIONID cookie on session invalidation