Invalidate session in Logout Servlet

Question

HttpSession session  = request.getSession();
try
{      
    session.removeAttribute("logonSessData");
    session.invalidate();                               
    String pageToForward = request.getContextPath();
    response.sendRedirect(pageToForward);           
}
catch (Exception sqle)
{
    System.out.println("error UserValidateServlet message : " + sqle.getMessage());
    System.out.println("error UserValidateServlet exception : " + sqle);
}

in Logout servlet I wrote above code in doPost and doGet method. After logout it shows login screen and then if I press back button it shows previous screen before logout and then if I click on any page it shows "HTTP Status 500" and now if I press F5 then it's heating login Servlet and getting the full access of user.

How to stop this problem show that after Logout using back button and F5 user can not use any page?

Maybe some other services of your app are using the session too, and you're invalidating the whole session. Try to just remove the authentication attributes without calling `invalidate()`. — sp00m, Mar 25 '13 at 11:13
No need to call session.removeAttribute(...) if you invalidate it anyway. — ymajoros, Dec 10 '14 at 08:29

score 5 · Answer 1 · answered Mar 25 '13 at 11:18

5

What you are doing is good. Browser is caching the previous pages, and when you click back button it is taking to previous cached page.

You need to add Cache headers which does not allow browser to cache page.

Cache-Control: no-cache

answered Mar 25 '13 at 11:18

Ramesh PVK

15,200
2
46
50

You're close, but this header alone is not sufficient. See the duplicate question link for the proper set of headers. – BalusC Mar 25 '13 at 11:28
the result was same after adding the following coderesponse.setHeader("Cache-Control", "no-cache, no-store"); response.setHeader("Pragma", "no-cache"); – user1429962 Mar 25 '13 at 11:44
You should not add it to the response of the logout like as incorrectly implied by Ramesh. You should add it to the response of every restricted page using a servlet filter (which can just be the same one as where you're checking the logged-in user). Plus, those headers are still incomplete and not crossbrowser compatible. See also the answer in the duplicate question. – BalusC Mar 25 '13 at 11:45
1

@BalusC Thank you for following and correcting me !!!! – Ramesh PVK Mar 25 '13 at 18:14
@BalusC where is the duplicate question? – Vishal Zanzrukia Jul 10 '14 at 13:18
1

@Vishal: see question's edit history. A bunch of /review monkeys reopened this question after it being closed as dupe just for the sake of getting incentive. Due to the broken system, I can't vote once more for dupe. – BalusC Jul 10 '14 at 13:37

score 1 · Answer 2 · answered Jun 10 '14 at 11:24

1)When you are clicking on back button on browser you are getting previous page because of browser cache.

2)When you are clicking on any page after backing you are getting status 500 because there is null pointer exception because of session object is invalidate already.

3)When you refresh new request is going to your servlet or JSP, there your are calling request.getSession(); method, which is creating new session object for you.

as a result you are getting full access to all pages again.

To avoid this problem you can follow the below steps.

1)In the application create one servlet Ex:LoginCheckerServlet

2)for the above servlet give url pattern /*

3)So the servlet will be executed for all the request

4)Now in LoginCheckerServlet check for username and password in request parameters

5)If they are coming perform login checking operation and display welcome page

6)If user name password are not coming, there are two meanings

     i)user is already logged in 

    ii)user is trying to access your app illegally

7)Now call request.getSession(false); method which will give you session object is there is session already existing for this user so you can redirect to welcome page with trust on user.

8)request.getSession(false); will give you null value if there is no session existing for this user.

9)In case if you are not getting username and password in request parameters as well as request.getSession(false); is giving you null value means user is trying to access your application without logging in, now you can happily display forbidden page.

score 0 · Answer 3 · answered Mar 25 '13 at 11:24

0

In every servlet, check whether Session is null or not. If session is not null then only do the request processing else redirect to login page.

HttpSession session  = request.getSession();

if(Session !=null)
{
try
{      
    // acutal servlet actions

}else
{

  // redirect to login page

 }

Also it would be good if you add null check for session in your above code.

HttpSession session  = request.getSession();
if(session !=null)
try
{      
    session.removeAttribute("logonSessData");
    session.invalidate();                               
    String pageToForward = request.getContextPath();
    response.sendRedirect(pageToForward);           }
catch (Exception sqle)
{
    System.out.println("error UserValidateServlet message : " + sqle.getMessage());
    System.out.println("error UserValidateServlet exception : " + sqle);
}
}else
{
  //session already null/ expired
}

answered Mar 25 '13 at 11:24

Avinash K.P

167
7

i dont know why i got down voted, but surely above null check will avoid NullPointer Exception which may cause HTTP Status 500. – Avinash K.P Mar 25 '13 at 11:32
when you logout and click browser back button surely it will take back to previous page which is cached. And when you click any button or press f5, request will fail with HTTP status 500 because session is no more available. – Avinash K.P Mar 25 '13 at 11:38
2

I downvoted it because: 1) it doesn't solve OP's concrete problem, 2) it is not DRY, 3) it has a compile error, and 4) it doesn't belong in a servlet at all. See the duplicate question for the right answer. – BalusC Mar 25 '13 at 11:47

score -3 · Answer 4 · answered Mar 25 '13 at 11:16

What you need to do is set the session into an attribute based on the session.

request.getSession().setAttribute("sess",request.getSession());

Use this to compare it to the current session. If this comparison fails, then redirect to the login page. This should be done in each page.

score -3 · Answer 5 · answered Jun 13 '14 at 12:28

-3

This will create a new session

HttpSession ss = request.getSession(true); //creates a new session.
  if(ss.isNew()){
    ss.invalidate();  //this clears the session
    ss = request.getSession(true); // creates a new session 
    }

answered Jun 13 '14 at 12:28

Rohit Goyal

550
8
9

Not sure you read the question very well. That does not answer the question actually asked, and would not solve the issue here. – Andrew Barber Jun 13 '14 at 13:14

Invalidate session in Logout Servlet

5 Answers5

Linked

Related