0

The code of session is not working properly. I copied a link and after logout when I tried to access that link than it was working without asking a login.

Here is the code of my login page on which I have created session:

String user_name=request.getParameter("user_name");        
String pass=request.getParameter("pass");
session.setAttribute("user_name", user_name);
session.setAttribute("pass",pass);

Here is the code of that page on which I have transferred my session:

 String user_name = (String)session.getAttribute("user_name");

Here is the code of logout page:

session.setAttribute("user_name", null);
session.invalidate();
response.sendRedirect("index.jsp");
response.addHeader("cache-control","no-cache");
Roman C
  • 49,761
  • 33
  • 66
  • 176
Rajat Garg
  • 542
  • 2
  • 11
  • 26
  • How do u check whether someone is logged on? (don't store passwords in sessions.. :-) ) – DarkBee Nov 23 '14 at 15:30
  • `String user_name = (String)session.getAttribute("user_name"); ` `user_name` will be null while redirecting back to login page after logout. you can check it by `sysout` – Pravin Nov 23 '14 at 15:32
  • A session doesn't check whether you're logged in or not. It simply stores attributes for a given user (authenticated or not). It's your job to check if a user is authenticated before accessing a restricted resource. – JB Nizet Nov 23 '14 at 15:33
  • Hey Pravin, yes user name will be null after logout, but it is redirecting back to home page if I press back button after logout. – Rajat Garg Nov 23 '14 at 15:37
  • Hey JB, I am also checking for authentication and that is not my problem. Here is the code for the authentication if(user_name!=null && pass!=null){ Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); Connection con = DriverManager.getConnection("jdbc:odbc:epm","root","root"); PreparedStatement pst=con.prepareStatement("select * from login where user_name =? and pass =?"); pst.setString(1, user_name); pst.setString(2, pass); ResultSet rs=pst.executeQuery(); if(rs.next()){ }else{ } } – Rajat Garg Nov 23 '14 at 15:38
  • 1
    That's not what I'm saying. Every time a request comes in to a restricted resource, you must check that the user is authenticated. Not just at login time. The session doesn't do that for you. The session is just a mechanism to associate state to a user. You could for example add a flag "isAuthenticated" to the session. But you need to check that flag every time it's needed. – JB Nizet Nov 23 '14 at 15:44
  • Hello DarkBee, Thanks for your suggestion but again I am facing same problem after removing password from session. – Rajat Garg Nov 23 '14 at 15:44
  • Okay Nizet, Now I understand what you want to say. Thanks for your help. I have to initialize isAuthenticated flag at the time of login and that that flag is used on every page. Right? – Rajat Garg Nov 23 '14 at 15:46
  • What happens when you use the three response headers as given by BalusC ? at http://stackoverflow.com/questions/4194207/prevent-user-from-going-back-to-the-previous-secured-page-after-logout – rickz Nov 23 '14 at 15:46
  • Hello rickz, Actually i am looking for a solution in jsp, I am not using servlet. But, thanks it will help any other time. – Rajat Garg Nov 23 '14 at 15:52
  • Yes, please put the three header lines in your JSP. – rickz Nov 23 '14 at 15:53
  • But, actually I do not want to include servlet. – Rajat Garg Nov 23 '14 at 16:00
  • @Rajat you need to check that isAuthenticated is true every time the user must be authenticated to access the page. This should be done in a ServletFilter, once and for all. Not in each individual page. Using only JSPs is awful design. Use the MVC principle, and use the JSP as a view component only. JSPs should not contain any Java code. Only custom tags and the JSP EL. – JB Nizet Nov 23 '14 at 16:01
  • You don't need a Servlet. Just use the three header lines in your JSP. – rickz Nov 23 '14 at 16:01
  • I know it is a sin. But just use a JSP for a test. – rickz Nov 23 '14 at 16:04
  • @rickz I used the code, but it is showing an error that void is not a return type of doFilter method. – Rajat Garg Nov 23 '14 at 16:13
  • All I suggested was a simple test. Just the three response header lines insert into your two JSPs. But, maybe JB Nizet is right. – rickz Nov 23 '14 at 16:28

1 Answers1

0

One thing is important the sendRedirect() should be the last command to response.

response.addHeader("cache-control","no-cache");
response.sendRedirect("index.jsp");

In the index.jsp, if it's a protected resource, you should redirect to a login page if not a valid user_name in session.

String user_name = (String)session.getAttribute("user_name"); 
if (user_name == null) response.sendRedirect("login.jsp");
Roman C
  • 49,761
  • 33
  • 66
  • 176
  • hello Roman, Thanks for this information and yes I always write sendRedirect() as last command to response. – Rajat Garg Nov 23 '14 at 17:47