I am having a problem logging out of my web app. A user logs in from a jsp page, the request is forwarded to a login servlet that then redirected to a jsp page after authentication. This works well. The problem occurs when the user selects the remember me option on the login page and then tries to logout. On logging out cookies are deleted and the system seems to be logged out but if the user revisits the page that the system forwards to after login, they are logged in again (not by using the back button but by revisiting the page, it is not protected). If they visit any other page they are not logged back in. The bad part is whatever error causes this also causes all who visit the website to be logged in automatically as that user and they have the ability to update details and change passwords.
I'm not sure you're really getting all your cookies deleted. In any event, you should be keeping the definitive login indicator on the server (in session data), not on the client. The standard logout technique is nothing but a session.invalidate() method call that discards the session and its associated data.
You've got a classic example of the "Western Movie Set Town" syndrome; which, ironically, I just described here.
An IDE is no substitute for an Intelligent Developer.
Joined: Jun 08, 2009
Thanks for the reply i believe i got the problem fixed. I had the cookie login code in a jsp that was included using <%@ include %> and i transferred it to servlet instead and included it using <jsp:include page="" flush="true" /> and now it works fine.