How to properly logout of a Java EE 6 Web Application after logging in

Question

A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again?

Most (all?) the books and tutorials I have seen show how to add a login/loginerror page to their application and demonstrate the use of security principals/roles/realms etc using the "j_security_check" method - all good. But then it's not clear how to give the user the power to logout. Indeed, how can I force a logout after, say, the session times out, etc?

Ramesh PVK · Accepted Answer · 2012-06-21T05:22:46.273

27

You should have logout servlet/jsp which invalidates the session using the following ways:

Before Servlet 3.0, using session.invalidate() method which invalidates the session also.
Servlet 3.0 provides a API method HttpServletRequest.logout() which invalidates only the security context and the session still exists.

And, the Application UI should be providing a link which invokes that logout servlet/jsp

Question: Indeed, how can I force a logout after, say, the session times out, etc?

Answer: The <session-timeout> in web.xml lets you define the timeout value after which the session will get invalidated by the server.

edited Jun 21 '12 at 05:22

answered Jun 05 '12 at 08:16

Ramesh PVK

15,200
2
46
50

Thanks Ramesh - that allowed me to put it together properly I think. One thing I picked up elsewhere was the importance of `return "/index?faces-redirect=true";` - this is needed to break the existing session and any client-side caching that may be going on. – smagrath Jun 06 '12 at 00:53
3

For clarity Servlet 3.0 you must do both logout() and session.invalidate()? – ammianus Jun 10 '14 at 16:34
If you logout without invalidating the session, you ought to have a really good reason since it opens you up to information leakage. Users who log out intentionally expect to be treated as if they'd never logged in—especially if they're using a public terminal! See https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change – David Leppik Mar 30 '17 at 15:57
Probably I don't understand good this answer: "in web.xml lets you define the timeout value after which the session will get invalidated by the server" I understand that this session timeout is the time that container waits after session is invalidated; and It's not correct, because this session timeout param is the time which container waits if it does not receive a request to can invalidate the session. – Cristian Hoyos Jan 12 '18 at 18:55

score 5 · Answer 2 · edited May 09 '13 at 14:57

5

You can do it programmatically using the logout()-Method of HttpServletRequest. There is also a corresponding method for login in with username and password. These methods have been added in Servlet 3.0, so they're available in Java EE 6.

A timeout is a different beast and can be specified in web.xml as following:

<session-config>
  <session-timeout>30</session-timeout> 
</session-config>

The time unit is minutes.

edited May 09 '13 at 14:57

Arjan Tijms

37,782
12
108
140

answered Jun 05 '12 at 08:19

ftr

2,105
16
29

This is available only since Servlet 3.0 – Ramesh PVK Jun 05 '12 at 08:21
1

Yes, but the question specifically mentions JEE 6, so Servlet 3.0 is fine – ftr Jun 05 '12 at 08:22

score 1 · Answer 3 · answered Jun 06 '12 at 00:31

Two step process -

1.create the logout page
2.create a session bean with a logout method

STEP A: The Logout Page

<div class="mytext">
    <p>Hello #{userSession.username}, </p>
    <p><h:outputText value="It doesn't seem you're logged in anyway..." rendered="#{!userSession.userLoggedIn}" /></p>
</div>
    <h:form class="mytext" rendered="#{userSession.userLoggedIn}" >
        <h:panelGrid columns="2"  >
            <h:outputLabel value="Do you want to logout?" for="logout"  />
            <p:commandButton value="Logout" id="logout" action="#{userSession.logout}" />                                      
        </h:panelGrid>
    </h:form>

STEP B: Session Bean Backing Code (snippet)

public String logout() {
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
    session.invalidate();
    return "/index?faces-redirect=true";
}

public boolean isUserLoggedIn() {
    String user = this.getUsername();
    boolean result = !((user == null)|| user.isEmpty());
    return result;
}

/** Get the login username if it exists */
public String getUsername() {
    String user = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
    return user;
}

How to properly logout of a Java EE 6 Web Application after logging in

3 Answers3

Linked