• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Session Invalidate in WAS

 
Ranch Hand
Posts: 330
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all!

I'm having a WAS problem and badly need help. My application uses form-based authentication and to log a user out, I call the invalidate() method. I understand that the next time this user requests a protected resource, the web application will send the user to the configured login page. However, this is not happening in my web application. After a session.invalidate() has been called, user can still access a protected resource with a new session, bypassing the login page.

Am I missing something?

I would appreciate any help/feedback/insight/etc.

Thanks.
 
Ranch Hand
Posts: 1087
Oracle Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Put user id in session immediate after validating user. And include a jsp file in every jsp that will check if session("user") == null then it will redirect user to login page.

This is very basic idea .Implement it as per your system design. There are many other ways too.
 
dennis zined
Ranch Hand
Posts: 330
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shailesh, thank you for your reply.

Your solution, however, is what I was hoping to avoid. My impression of the session.invalidate() is that this will be done automatically for me without having to code the checking routine you mentioned.

Please let me know if my understanding of session.invalidate() is incorrect or not.

Thanks and hoping for more feedback/insights from this forum.
 
dennis zined
Ranch Hand
Posts: 330
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Found the solution i was looking for. For those interested, its at: http://www.redbooks.ibm.com/redbooks/pdfs/sg246573.pdf page 68.

Thanks.
 
Shailesh Chandra
Ranch Hand
Posts: 1087
Oracle Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
definitely its a very good solution but specific to websphere.
[ October 18, 2004: Message edited by: Shailesh Chandra ]
 
dennis zined
Ranch Hand
Posts: 330
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

definitely its a very good solution but specific to websphere.



.... which is fine for now until a standard J2EE form-based logout becomes available. It makes me wonder why there isn't a J2EE form-based logout considering that there is a J2EE standard form-based login So far I've seen how vendors have implemented their own invalidating session / form-based logout solution such as Weblogic's
"weblogic.servlet.security.ServletAuthentication.invalidateAll(request)" and IBM's Websphere ibm_security_logout.

I guess my next question is, what is the best practice with deailing with invalidating login sessions? So far I've come across the following:

1. websphere-specific form-based logout
2. Shailesh solution
3. Maybe closing the web-browser :roll:



Thanks.
 
Shailesh Chandra
Ranch Hand
Posts: 1087
Oracle Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dennis good point raised,

let us post it in j2ee section so that we can get better solutions.

I haven't worked with form based authentication.

Still login/logout itself is very vast funtionality. I prefer database authentication , password is verified aginst database including encryption.

even there are many things that needs to be done application specifc that a server itself can not handle.

like in a application you enable a database record for the logged in user same time other user can not use it.

now requirement will be such that you release same record for other users when users logout.

for logout related case I have implemented a listner extending HttpSessionListener which performs all my operation on sessionDestroyed event.

answer to your question is best practice differs based on requirement.
[ October 19, 2004: Message edited by: Shailesh Chandra ]
 
roses are red, violets are blue. Some poems rhyme and some are a tiny ad:
create, convert, edit or print DOC and DOCX in Java
https://products.aspose.com/words/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!