GeeCON Prague 2014*
The moose likes Servlets and the fly likes Create a session after login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "Create a session after login " Watch "Create a session after login " New topic
Author

Create a session after login

Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Hi,
How can i create a session when i loged in and how can i invalid it when i logout?
Thank you in advance
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16103
    
  21

It would be very difficult to NOT have a session and be logged in. Without an HttpSession attached to the user, the only requests you can make are stateless ones, because the login state is pretty much constrained to be part of the session.

In any event, if you use the J2EE standard container, it should create a session when you login if you didn't already have one. But that's not really important. At any time, if you invoke the getSession(true) method, the current session will be returned to you. And if there was no current session, it will create one and return it.

To logout, the traditional method has been to invoke the session object's invalidate() method. In JEE, however, there's now also an explicit logout() method.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Only i should use this statement :

without setAttribute ?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16103
    
  21

Well, you cannot set a session attribute until you have a session object to hold the session attribute collection!
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
If i use setAttribute in my login servlet, what shoul i put in my logout servlet
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:If i use setAttribute in my login servlet, what shoul i put in my logout servlet


You can do it 2 ways:

Clear the entire session


or

Clear certain session variables


It depends what you are defining as "logout" for your application. You may want to clear a specific user out of the session and keep other session variables around for whatever reason. If you want to totally clear the entire session then invalidate it.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
If i use a filter, how can i do it?
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:If i use setAttribute in my login servlet, what shoul i put in my logout servlet



Your entry point needs to be outside of your filter. (meaning not in the confines of the filter)

Here is a simple login filter I use to check if the user is logged in and in the session within the defined url pattern. (using the tomcat container)

This will give you the basic path and flow of how to implement it, however there are other frameworks and logic within that code that you would have to implement yourself for your specific application.

Filter descriptor



Servlet Filter


Credential check



My login entry is http://www.mysite.com/administration/login, when i login on that page it submits to the CheckUserCredentialsCommand which is just a simple servlet. That servlet then tries to do a page redirect to one of the pages that is behind the filter. In the filter it checks the user, if the user is null it forwards back to the login page, if there is a valid user it goes through the filter chain which was your redirect from the CheckUserCredentialsCommand and now your url looks like http://www.mysite.com/administration/controlpanel/dashboard, dashboard page being behind the filter, if there was no user you would never be able to get to that page.

Your logout would then just be another servlet that invalidates the session and redirects the user back to the login page.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Thank you for your reply, but i don't understand you very well.
here's the filter code :

Filter descriptor in web.xml:

the authentication jsp page :

and here's the servlet of authentication :

here's the home.jsp :

and the Logout servlet:

what should i change in my code to make it work?
thank you in advance
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
I would need more information. With your current code what exactly is NOT working? You seem to have the format correct.

First thing i see is that your filter is filtering every request by defining the following url pattern:



you would need at least 2 url patterns defined:

http://www.mysite.com/administration/login // this url should not pass through the filter code, anybody should be able to view this page

http://www.mysite.com/administration/controlpanel/dashboard //this url is behind the filter (you would define a pattern as so)


This way anybody that tries to view pages behind /administration/controlpanel/* has to pass through your filter and in there you evaluate if the user is authenticated or not or if the user even exists.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
when i put a valid username and password the user logged in to home.jsp.
in home.jsp when i click logout, the authentication.jsp page displayed.
My problem is when i click in "back button " the home.jsp display or should not be displayed, did you understand me .
I change something in web. xml as the followings :
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188

Ill try to explain the url mapping a bit better.

I have 2 servlet url patterns defined in addition to my filter url pattern. You want to make sure your entry point is OUTSIDE of your filter, this way if the is no valid user the pages behind the filter will not be displayed.



Servlet outside of filter (my login page)


Servlet inside my filter ( url pattern matches the filters url pattern)


You also may be seeing a stale page so when you logout you also want to clear the page cache, so technically when you hit back after logout it should direct you to the login page.

Example:



In place of my commandContext you would use HttpServletRequest request

so request.getResponse().setHeader(); ect.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
I put the Example in the Logout servlet ??
here's the new configuration in web.xml as the followings:

Which i create a folder test,contains the jsp page put it inside filter.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Always the button back display the home page
here's the filter :

what's the problem according to you ?
I'm stuck
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18570
    
    8

That looks like a pretty reasonable filter. The other half, of course, is for the authentication process to create a session attribute named "user" after a successful login. Does your code do that?
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:Always the button back display the home page
here's the filter :

what's the problem according to you ?
I'm stuck



You don't want to set the no-cache in the filter itself, you want to set it in the logout servlet. This way when you invalidate the session and expire the page, when you hit the back button it will send in another request which will passthrough your filter and the filter will validate the user and user == null at this point. Then It redirects to the login page because the user is null. You should never see the home page if you are in this state after logout.

Your logout servlet should look like:

There is also no need to check if the user is null at this point as you are invalidating the entire session at this point



Also you should probably redirect to another servlet instead of directly to a jsp page and in the servlet you would just page forward to the jsp.
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Paul Clapham wrote:Does your code do that?

Yes, i think that
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
John Schretz wrote:In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

I change my authentication servlet like as you say, also my Logout servlet, but always the same problem occurred ?
here's the filter :
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
here's the new filter :

Should i implement the init() method ??
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
I need your help please
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:
John Schretz wrote:In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

I change my authentication servlet like as you say, also my Logout servlet, but always the same problem occurred ?
here's the filter :


Why is the logout servlet a filter? I posted what the logout servlet should look like, its just a simple servlet, not a filter. You only need the filter for checking the valid user.
Here is the logout servlet again:

Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
thank you for your reply,
John Schretz wrote: You only need the filter for checking the valid user.

do you mean only like this :

and this is a configuration in the web.xml is correct ?:
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:thank you for your reply,
John Schretz wrote: You only need the filter for checking the valid user.

do you mean only like this :


Yes, all you need to do is ask the filter if the user is valid. If yes chain.doFilter, if no redirect to the login page. Very simple.
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Until now, the same problem
really i'm stuck :'(
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Try this, set the filter up exactly like so and instead of doing a redirect we do a page forward.

Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
The same problem
when i click a back button it display a home.jsp
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:The same problem
when i click a back button it display a home.jsp


after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
John Schretz wrote:
after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?

No, it don't go to the login page and remains in the same page home.jsp
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:
John Schretz wrote:
after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?

No, it don't go to the login page and remains in the same page home.jsp


if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
John Schretz wrote:
if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?

No, when i refresh the page it doesn't hit the breakpoint, that's mean there's a problem in the filter?
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:
John Schretz wrote:
if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?

No, when i refresh the page it doesn't hit the breakpoint, that's mean there's a problem in the filter?


sounds like the filter url mappings are incorrect. The request is not passing through the filter. Do you ever hit a breakpoint in the filter? Like when you login?
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
John Schretz wrote: Do you ever hit a breakpoint in the filter? Like when you login?

yes, also when i login
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Based on your filter mapping your url's should look like

www.mysite.com/authentication.jsp (LOGIN)

www.mysite.com/test/home.jsp (home page)

notice that the home page url mapping goes through test as you had mapped that in your filter




can you post you entire web.xml
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
here's the web.xml:
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
looks like you are mixing between jsp pages and servlets. All of your entry points should be a servlet, the jsp is your "view". So all the jsp pages should have an associated servlet. i.e. if you have a home.jsp file then you should have a Home Servlet.
and at minimum it will call the servlet and the servlet will server the jsp page

Example:



So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.



So fixing that up and following that pattern will get you in better shape in general.
Then for every servlet you create that you want behind that filter should all have the url pattern <url-pattern>/test/**YOUR SERVLET HERE**</url-pattern>
because that is what you defined the filter for.

***The only servlet that does NOT have that pattern is the login servlet because it needs to be OUTSIDE of /test/*
So an example would be:



Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
John Schretz wrote:
So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.

view plainprint?
Note: Text content in the code blocks is automatically word-wrapped
getRequestDispatcher("test/home").forward(req, res);

when i log in the home page didn't display
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
Sarra Sakka wrote:
John Schretz wrote:
So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.

view plainprint?
Note: Text content in the code blocks is automatically word-wrapped
getRequestDispatcher("test/home").forward(req, res);

when i log in the home page didn't display


Did you create a home servlet and map the url to /test/home?
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
yes, i have created a servlet Home with url /test/home
Sarra Sakka
Ranch Hand

Joined: Jul 12, 2013
Posts: 272
Without a filter, how can i create a session when i loged in and how can i invalidate it when i loged out ?
thank you for you effort
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Create a session after login