File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Tomcat session error Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat session error" Watch "Tomcat session error" New topic

Tomcat session error

Elías Porfirio

Joined: Jun 08, 2009
Posts: 4

I am having a problem logging out of my web app. A user logs in from a jsp page, the request is forwarded to a login servlet that then redirected to a jsp page after authentication. This works well. The problem occurs when the user selects the remember me option on the login page and then tries to logout. On logging out cookies are deleted and the system seems to be logged out but if the user revisits the page that the system forwards to after login, they are logged in again (not by using the back button but by revisiting the page, it is not protected). If they visit any other page they are not logged back in. The bad part is whatever error causes this also causes all who visit the website to be logged in automatically as that user and they have the ability to update details and change passwords.

Any ideas on what could be causing this?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17423

I'm not sure you're really getting all your cookies deleted. In any event, you should be keeping the definitive login indicator on the server (in session data), not on the client. The standard logout technique is nothing but a session.invalidate() method call that discards the session and its associated data.

You've got a classic example of the "Western Movie Set Town" syndrome; which, ironically, I just described here.

An IDE is no substitute for an Intelligent Developer.
Elías Porfirio

Joined: Jun 08, 2009
Posts: 4
Thanks for the reply i believe i got the problem fixed. I had the cookie login code in a jsp that was included using <%@ include %> and i transferred it to servlet instead and included it using <jsp:include page="" flush="true" /> and now it works fine.
I agree. Here's the link:
subject: Tomcat session error
It's not a secret anymore!