wood burning stoves 2.0*
The moose likes Struts and the fly likes Session problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Session problem" Watch "Session problem" New topic
Author

Session problem

lee kris
Ranch Hand

Joined: Mar 30, 2005
Posts: 35
hi everyone,
I have a small application that I am developing and now I am trying to use sessions. I want to set the session when a user logs in and invalidate if when the user logs out. In between the login and logout there are many things that a user can do (many possible actions).
I have set the scope = "session" option in my struts-config.xml file and also I have set the session when a user logs in and invalidate it when a user logs out. Some codes snipets are as follows. First in my struts-config.xml I have...


my LoginAction.java and LogoutAction.java are as follows.



Now, when I am testing it, I login do a lot of action and logout. I then open another browser and try to gain access and do some actions and it still lets me in. In other words, after I logout, someone can just gain access to the system. can anyone suggest me how I correct this error? or perhaps link me to a similar example that uses session?
Thank you very much.
lee
Ray Stojonic
Ranch Hand

Joined: Aug 08, 2003
Posts: 326
My guess is that what you're trying to control access to isn't checking to see if the user is logged in.

Try this: restart your context, open a new browser, then without logging in, try to access your system. If you can get in, you'll need to add code to verify that the user is logged in.

Personally, I check 'user logged in' status on every page and before performing any requested action.
lee kris
Ranch Hand

Joined: Mar 30, 2005
Posts: 35
hi Ray Stojonic and everybody,
Ray, you are right I was not doing the user-check on every page. I understand what you want me to do but am not sure how. I have never done it before. Do I add a "user checking status" on all the actions (java files)?


Do I also need to set scope="session" in my struts-config.xml where all the actions are being used as the forward path?
A snipet of code would be very helpful.
I am thinking the following might do but not sure.



Thanks for your response and patience.
Lee
Ray Stojonic
Ranch Hand

Joined: Aug 08, 2003
Posts: 326
That's the basic idea

To that I would add some code to check if the user is valid, like:



because a failed login would most likely still cause a user object to be placed in the session, even though the user failed authenication.
lee kris
Ranch Hand

Joined: Mar 30, 2005
Posts: 35
Thanks Ray,
I will do that and update you of the progress by tomorrow.
Thank you once again,
Lee
lee kris
Ranch Hand

Joined: Mar 30, 2005
Posts: 35
hi Ray Stojonic and everybody,
I followed the suggestion you gave me and the session time out works. Thanks. However, I have also noticed that it does not work in certain instances. For instance, If I login and go to some pages and logout and then past a url on the same browser, it lets me in (unless and otherwise it has been 30 minutes). if I logout the session should invalidate and I should not be able to access any pages after that.
on the other hand if I kill the browser and open a new one and then past a url (one of the pages) then it says sessiontimeout(which is what I want). Also after 30 minutes(struts default session time out) of inactivity it does timeout (this is good). So the only problem that I have it if I login and go to some pages and logout and, immediately, past a link which should only be accessed if a user has a session, on the same browser, then it does NOT say sessionTimeout or invalid session. I do invalidate in my logout action as follows:

So can any one please suggest to me what I could be missing.
Thanks guys.
lee
Ray Stojonic
Ranch Hand

Joined: Aug 08, 2003
Posts: 326
Hi Lee,

Assuming that you're using some sort of User bean, I'll guess that your servlet access code goes a little like this:

In other words, it depends on the user having a validated user bean and a current session.

When you invalidate the session on logout, a new session immediately takes its place, so the session portion is valid.

Contrary to what we might think, the user bean is still hanging around at this point, so on pasting a URL, the user can still get in after logging out.

The solution (hopefully) is rather simple, prior to invalidating the session, invalidate the user. (don't just shut the door, also take away their key)
[ September 12, 2005: Message edited by: Ray Stojonic ]
lee kris
Ranch Hand

Joined: Mar 30, 2005
Posts: 35
hi Ray,
I get what you said about invalidating the user.
Here is what I tried and related codes.


and my logout Action is as follows( this is where I am invalidating the session and the user).



I tried this and it did not work so I am just not sure if this is the sure right way of invalidating the user.
User, by the way, is a class that deals with all of the user's information
Thanks.
lee
Clinton Arnold
Greenhorn

Joined: Sep 24, 2007
Posts: 2
The problem reported could have been due to the browser caching pages...A Google search for 'Solving the logout problem' should yield an article describing some solutions for browser caching.
Tarun Yadav
Ranch Hand

Joined: Sep 20, 2007
Posts: 134
Um, I know it's been a long time since this topic's been active but instead of adding the code to check if the user is logged in on every page, I think it would be loads better to use a filter to do the same. That way, if you have a single point of control; if you need to modify the code, you do it in one place and you won't accidently miss out some JSP/ Servlet either.
 
GeeCON Prague 2014
 
subject: Session problem