JSP Servlet session invalidate() does not make session null

Question

I have three simple HttpServlet classes in my JSP project, "LoginServlet", "LogoutServlet" and "ProfileServlet".

• LoginServlet: log in user by setting "name" attribute to session
• LogoutServlet: log out user and invalidate session
• ProfileServlet: display user welcome info if user has logged in

The last two servlets are as below that I reckon are problematic.

@SuppressWarnings("serial")
public class LogoutServlet extends HttpServlet {
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            response.setContentType("text/html");
            PrintWriter out=response.getWriter();

            HttpSession session=request.getSession(false);
            session.invalidate();

            request.getRequestDispatcher("link.jsp").include(request, response);

            out.print("You are successfully logged out!");

            out.close();
    }
}

And

@SuppressWarnings("serial")
public class ProfileServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        request.getRequestDispatcher("link.jsp").include(request, response);

        HttpSession session = request.getSession(false);
        if (session != null) {
            String name = (String) session.getAttribute("name");

            out.print("Hello, " + name + " Welcome to Profile");
        } else {
            out.print("Please login first");
            request.getRequestDispatcher("login.html").include(request,
                    response);
        }
        out.close();
    }
}

And the link.jsp:

<% HttpSession nsession = request.getSession(false);
if(nsession == null) {
%>
<a href="login.html">Login</a>
<%
}
else {
%>
<a href="LogoutServlet">Logout</a>
<%
}
%>
<a href="ProfileServlet">Profile</a>
<hr/>

The problem is while user is logged in, when the "Logout" link is clicked and "LogoutServlet" is called, session is not correctly invalidated and ProfileServlet still prints out

"Hello, null Welcome to Profile"

instead of redirecting to the "login.html" page because the session is still NOT null. As a result of it, "Login" link is not shown on the "link.jsp" page. This stops the user from being able to attempt to log in again.

EDIT: To make the problem clarified, I made a new html page and updated the servlets to do

request.getRequestDispatcher("link.html").include(request, response);

And the "link.html".

<a href="login.html">Login</a>
<a href="LogoutServlet">Logout</a>
<a href="ProfileServlet">Profile</a>
<hr/>

Interestingly this does what I wanted! I guess the problem is

request.getRequestDispatcher("link.jsp").include(request, response);

But I am unable to explain why...

Answer 1

In JSP new session is created by default, if non present, so you will always get non null session. You can disable that by adding following page directive to your page:

<%@ page session="false" %>

For more info check the following Why set a JSP page session = “false” directive?

Answer 2

When it calls invalidate() it removes that session from server context and all associated data with that session,

When you make new request it creates new one and so you see null as the data because new session doesn't have data in it

You should check for a logical attribute inside session to validate it user is logged in or not, instead of session itself

Answer 3

That may help You Check it out for condition checking.

Condition To Check:

<%
if (session.getAttribute("name") == null || 
session.getAttribute("name").equals(""))
{
response.sendRedirect("login.jsp");
}
%>

Set Up While Logout:

session.setAttribute("name", "");
session.invalidate();
response.sendRedirect("login.jsp");