2

I am making a project using MVC framework , where in i have created session on multiple pages and on every page there is an anchor tag displaying (logout) where it redirect user to the 1st page (Login Page). What i am trying to do is when user is redirected to the login page it checks that whether there is already an existing session if yes, then it Invalidate's the session and user has to login again. But my code doesn't work after invalidating the session when i click on submit without filling username/password it still takes the old value...please tell me where am i going wrong??

         <jsp:useBean id="theBean" class="pack.java.MyModel"/>
        <jsp:setProperty name="theBean" property="name" param="userName"/>
         <jsp:setProperty name="theBean" property="pass" param="userPass"/>
         <%@ taglib uri="/WEB-INF/jsp2/taglib1.tld" prefix="easy" %>
         <html>
        <head>

        </head>
        <body >
        <form  method="post">
        <h1>Login please</h1>
        Enter username : <input type = text  name = userName  >
          </br>
        Enter password : <input type = password  name = userPass  >
       </br>
        <input type = submit name = submit value = submit>
        </br>
        <%

          HttpSession session=request.getSession(false);

        if(session!=null)
         {
          session.invalidate();
         }
          String btn = request.getParameter("submit");
         if(btn!=null)
      {
       %>

        <easy:myTag/>
       <% 

       }
       %>
    </form>
  </body>
</html>
Gaurav
  • 103
  • 4
  • 5
  • 13
  • Why are you using scriptlets? http://stackoverflow.com/questions/3177733/how-to-avoid-java-code-in-jsp-files?rq=1 – adarshr Aug 18 '13 at 09:34
  • I am using custom tag that's why.. – Gaurav Aug 18 '13 at 10:43
  • That's not a good enough reason to write `session.lnvalidate()` in a JSP. Write a dedicated servlet that does the invalidate and simply invoke provide a link to it in your JSP. If you really want to make sure the user is signed out before he tries to sign in, write a filter which does that and hook it up the signin flow. – adarshr Aug 18 '13 at 13:18

2 Answers2

2

It depends from the framework

the code

<%
session.invalidate();
%>

invalidate a session, but what the "easy:myTag" does?

pute the session invalidate in a separate page; if it works you have to investigate the custom tag myTag.

venergiac
  • 7,469
  • 2
  • 48
  • 70
  • Yes I am using custom tag, and what do you mean by putting the session invalidate in a separate page ? the reason i am using session invalidate on this page is that whenever user come on this page he has to login every time... please explain what exactly i should do – Gaurav Aug 18 '13 at 10:43
  • Generaly speaking the session invalidate works but it depends from the page life cycle. Firstly if you are using the J2EE Authentication service you cannot calla the login page directly but you execute the logaout ina separate page then you redirect the user to Home page. Then, the container check the user and if not authenticated it redirects to login page. This lifecycle is described there http://docs.oracle.com/javaee/6/tutorial/doc/glxce.html – venergiac Aug 18 '13 at 11:41
0

Your prob is that you are calling invalidate way after the response header. Once the jsp has been converted to a servlet, the html code is before those lines of commands. Try putting it before the <hmtl> tag.

Behind the scenes, the system extracts a user ID from a cookie or attached URL data, then uses that ID as a key into a table of previously created HttpSession objects. But this is all done transparently to the programmer: you just call getSession. If no session ID is found in an incoming cookie or attached URL information, the system creates a new, empty session. And, if cookies are being used (the default situation), the system also creates an outgoing cookie named JSESSIONID with a unique value representing the session ID. So, although you call getSession on the request, the call can affect the response. Consequently, you are permitted to call request.getSession only when it would be legal to set HTTP response headers: before any document content has been sent (i.e., flushed or committed) to the client.

As stated in this file: http://www.java-programming.info/tutorial/pdf/csajsp2/08-Session-Tracking.pdf

From this site: http://courses.coreservlets.com/Course-Materials/csajsp2.html

For more general info:

Discarding Session Data

When you are done with a user’s session data, you have three options.

• Remove only the data your servlet created. You can call removeAttribute("key") to discard the value associated with the specified key. This is the most common approach.

• Delete the whole session (in the current Web application). You can call invalidate to discard an entire session. Just remember that doing so causes all of that user’s session data to be lost, not just the session data that your servlet or JSP page created. So, all the servlets and JSP pages in a Web application have to agree on the cases for which invalidate may be called.

• Log the user out and delete all sessions belonging to him or her. Finally, in servers that support servlets 2.4 and JSP 2.0, you can call logout to log the client out of the Web server and invalidate all sessions (at most one per Web application) associated with that user. Again, since this action affects servlets other than your own, be sure to coordinate use of the logout command with the other developers at your site.

Analyst
  • 945
  • 1
  • 9
  • 15