Java Why is my session not being destroyed

Question

I'm trying to log out users and destroy the session by having the user click on a link to a jsp that is not mapped to a servlet.

In my logout.jsp I have the following (Edit added remove since posting but its still not clearing the session)

<%
  session.removeAttribute("loggedin");
  session.removeAttribute("loggedUsrID");
  session.removeAttribute("loggedUsrFName");
  session.invalidate();
  response.sendRedirect(request.getContextPath());
%>

When clicked on I'm redirected to the index.jsp, however when I close the browser and then launch the application again in netbeans and click on a link I see the following in the address bar

http://localhost:8084/myapp/register.jsp;jsessionid=0002B8466FB3CC578C56E61017E9FD3C

For completeness I'm including the section of my user controller which logs in the user and sets the session in case I'm doing something wrong there

//Handle User Login
private String logInToSite(HttpServletRequest request,
        HttpServletResponse response) {

    String url;        
    String message;
    // get values from form
    String pNum = request.getParameter("phoneNumber");
    String upwd = request.getParameter("password");

    //validate the values to check for empty values in case JS registration check has failed.
    if(pNum.length()==0 ||upwd.length()==0){
        message="You have not filled out the required fields.";
        request.setAttribute("message", message);
        url = "/login.jsp";
        return url;
    }

    //Format the phone number
    String mPNum=UserDB.formatPhoneNumber(pNum);
    User user = UserDB.loginUser(mPNum, upwd);

    if(user==null){
        message="User null";
        request.setAttribute("message", message);
        url = "/loginerror.jsp";
    }else{
        String hpwd = user.getPwd();
        if(BCrypt.checkpw(upwd, hpwd)==false){
           message="password didn't match";
           request.setAttribute("message", message);
           url="/loginerror.jsp";               
        }
        else{
            boolean logged=false;
            HttpSession session = request.getSession();
           session.setAttribute("loggedUsrID", user.getUserID());
           session.setAttribute("loggedUsrFName", user.getFName());
           session.setAttribute("loggedin",logged=true);
           url="/schedule/welcome.jsp";
        }
    }      
    return url;
}

What else is in your JSP? Is it referencing any CSS / JSS / favicon that might be keeping the session alive? You shouldn't need any of the session.removeAttribute lines. — Nicholas Hirras, Oct 22 '17 at 20:20

score 0 · Answer 1 · answered Oct 22 '17 at 20:22

0

I'm doing a similar logout jsp for my project. The entire content of my JSP is only this:

<%
    session.invalidate();
    response.sendRedirect(request.getContextPath());
%>

Make sure you aren't referencing any other content such as CSS or JavaScript from your site within your logout.jsp

answered Oct 22 '17 at 20:22

Nicholas Hirras

2,592
2
21
28

My entire logout page just consists of the code above. However the structure for rest of the site pages is to include the header.jsp as separate page – Graham Oct 22 '17 at 20:30
After you logout and then re-launch your browser, are you seeing the previous session values still in-session? – Nicholas Hirras Oct 22 '17 at 20:39
sorry for reply connection issues. setting the COOKIE setting in web,xml appears to have resolved the issue. – Graham Oct 23 '17 at 13:27

Java Why is my session not being destroyed

1 Answers1