session expire and back button of browser in jsp and sevlet

Question

Possible Duplicate:
Prevent user from going back to the previous secured page after logout

I have to create a login and logout page with sessions. Now I have to invalidate the session after a certain interval of time and after clicking logout button. After session expiry time and logout action no one should be access previous pages by clicking back button of browser without again logging.

How can I achieve this?

You will want to try solving the problem on your own first. Asking for full working code isn't what this site is for. Try re-phrasing your question and giving some effort on your part. — Sean, Aug 28 '12 at 12:41

kapandron · Answer 1 · 2012-08-29T14:04:08.133

1

Set the session timeout in the web.xml file:

<session-config>
   <session-timeout>30</session-timeout> 
</session-config>

Put in the session user's name when an user's logged:

session.setAttribute(userName, "userName");

And kill it when an user's logged out:

session.removeAttribute("userName");

Create a filter to validate an user, like this:

public class AuthorizationFilter extends Filter {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                                          throws   IOException, ServletException { 

        HttpServletRequest req = (HttpServletRequest) request; 

        HttpSession session = req.getSession(); 

        String userName = (String) session.getAttribute("userName"); 

        if (userName == null) { 
           rejectRedirect();  
        } 

        chain.doFilter(request, response);  
    }

    private void rejectRedirect() {
        response.sendRedirect("/login.jsp"); // or warning page
    }
}

And map this filter in the web.xml:

<filter> 
   <filter-name>Authorization Filter</filter-name> 
   <filter-class>yourpackage.AuthorizationFilter</filter-class> 
</filter> 
<filter-mapping> 
   <filter-name>Authorization Filter</filter-name> 
   <url-pattern>*.jsp</url-pattern> 
</filter-mapping>

edited Aug 29 '12 at 14:04

answered Aug 29 '12 at 12:52

kapandron

3,546
2
25
38

Sir i went through ur suggestions but I am not getting how to use this in login and logout page . – user1197114 Aug 29 '12 at 13:36
Will you plz guide me upto there As i dont have the idea to use this. – user1197114 Aug 29 '12 at 13:37
Create submit button `logout` in form: `
`. Delete session attribute on the `logout.jsp` page. This isn't certainly the best approach in terms of app architecture. But such decision will be acceptable for a test application. – kapandron Aug 29 '12 at 14:30
I believe that you're not understanding the concrete question. – BalusC Aug 29 '12 at 15:02
@BalusC Do you suppose my solution will not work? – kapandron Aug 29 '12 at 15:30
No, you are just answering a completely different question which the OP didn't initially ask at all (and are thus completely confusing the OP as to how to implement this "solution"). Check the possible duplicate link comment on the question to see a clearer question and the right answer. – BalusC Aug 29 '12 at 15:32
@Andrey thank you Sir for ur suggestion .sir i dont have idea of how to use filter with my login and logout page with session.plz sir give me example of login and logut page .thank u sir – user1197114 Aug 30 '12 at 04:25
@AndreyKapelchik Sir Plz help me out .I know u are directing me to the right way but because of less knowledge i ma not able to complete. – user1197114 Aug 30 '12 at 04:49
First read this [post](http://stackoverflow.com/questions/4194207/prevent-user-from-going-back-to-the-previous-secured-page-after-logout/4194251#4194251). And study these simple examples [here](http://docs.oracle.com/cd/A97336_01/cont.102/a75172/jsp.html#1016013) and [here](http://www.roseindia.net/quickguide/tomcat/Logout.shtml). They'll help you to understand principle of the mechanism login/logout. – kapandron Aug 30 '12 at 06:11
@AndreyKapelchik Sir ,i did as per ur suggestion but getting infinite loop error because of filters .will u please guide me to resolve this. – user1197114 Aug 30 '12 at 09:24
My failure! Rename the page `login.jsp` on `login.html` if it contains only the HTML code. Or another solution is to create a directory `jsp` and put in it all your JSP pages except the `login.jsp`. And in this case change the mapping of the filter in `web.xml`: `/jsp/*`. Like this the filter'll check all pages except the login-page. – kapandron Aug 30 '12 at 10:04
@AndreyKapelchik thank you Sir .it worked but still my page is not redirecting to index.jsp page after session time of 1 min. i posted my code.plz see . – user1197114 Aug 30 '12 at 10:26
This code is incorrect. See my previous comment. – kapandron Aug 30 '12 at 10:33
@AndreyKapelchik Sir i changed web.xml and put all jsp pages inside jsp folder except this not redirecting to login page . – user1197114 Aug 30 '12 at 10:45
First, redirect doesn't happen automatically. For this to happen, you must send a request to server for this page. And the second is that a web server executes destroying of session at certain intervals. It happens not immediately. Read this [post](http://stackoverflow.com/questions/3118968/sessiontimeout-web-xml-vs-session-maxinactiveinterval/3119074#3119074). – kapandron Aug 30 '12 at 12:31
@AndreyKapelchik Thank you very much sir.but how to use this in my code .do i have to use this code in evry page .Sir ,plz help me other wise it will be a big problem for me – user1197114 Aug 30 '12 at 12:47

score 0 · Accepted Answer · edited Aug 31 '12 at 09:06

    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;

        HttpServletResponse response = (HttpServletResponse) res;

        HttpSession session = request.getSession();

        String userName = (String) session.getAttribute("loggedVendor");

        if (userName == null)
            response.sendRedirect("index.jsp");

        chain.doFilter(request, response);
    }

    public void init(FilterConfig filterConfig)
            throws ServletException {
        // We can initialize a filter using the init-params here
        // (which we defined in the deployment descriptor - web.xml)
    }

<filter>
    <filter-name>AuthorizationFilter</filter-name>
    <filter-class>AuthorizationFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>AuthorizationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
</filter-mapping>

@Andrey Sir i did as you directed but page is not redirecting to login page — user1197114, Aug 30 '12 at 11:00

session expire and back button of browser in jsp and sevlet

2 Answers2