3

How can I invalidate Browser Session. I am using JSP's. In web.xml the session-timeout is been set to 180 seconds and I want it like that only. But the problem is on some special occasion for some user's browser session need to be invalidated immediately right after a form submit.

I have used session.invalidate(); to invalidate session and also used 

response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);

But, still when I click the back button it will take me to the same users session. Is this loading from browser cache?

This is what i have in my JSP : 

<head>
<script type="text/javascript">
function submitForm(){window.document.submitFrm.submit();}
</script>
</head>
<body onload="submitForm()">
<%String output = (String)(request.getAttribute("strOut"));
String hookUrl = (String)(request.getAttribute("hookUrl"));
System.out.println("hookUrl in cwsGroup.jsp : "+hookUrl);%>
<form method="post" action="<%=hookUrl%>" name="submitFrm" id="submitFrm">
<input type="hidden"  name="cxml-urlencoded" value='<%=output%>' />
</form>
<%
response.setHeader("Cache-Control","no-cache");
response.setHeader("Pragma","no-cache");
response.setDateHeader( "Expires", 0 );
session.removeValue("domineName");
session.invalidate();%>
</body>

Am I missing something?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Warrior
  • 3,184
  • 12
  • 44
  • 53
  • It looks like browser cache. After you click on Back button, try adding a random number to your URL like rand=234234 & refresh. If it does not redirect to login page (if u have the authentication setup) then your session in validation would not have happened. May be on form load you can have an AJAX heart beat to check if your still in active session that can beat the browser cache. – isobar Mar 22 '11 at 07:03

2 Answers2

4

Those headers are incomplete. This would only work in Internet Explorer, but would fail in others. The complete set is

response.setHeader("Cache-Control","no-cache,no-store,must-revalidate");
response.setHeader("Pragma","no-cache");
response.setDateHeader("Expires", 0);

And you also need to set them in the previous JSP pages as well. Calling this inside a JSP would only disable caching the current JSP page. You need to copypaste it over all JSP pages (shudder). Or even better, use a Filter for this which is mapped on *.jsp. For an example, see this answer.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • C i am using above solution in My LogoutAction class while users performs log out, i tested this in Mozill Firefox 17.0.1 . I write all the above headers and then invalidate the session. after performing logout operation the page is forwarded to login page,then i press back button of the browser and it shows the dashboard or last page from where i perform the logout operation.any help or should post another question for it ? – Mihir Jan 01 '13 at 07:44
  • @Mihir: Those headers needs to be set on responses for which you'd like to turn off the browser cache. Setting them on the response of the logout action only would obviously not set them on all other responses which are previously been sent. – BalusC Jan 01 '13 at 12:24
  • so what to do to accomplish my goal ? should i post another question for you ? – Mihir Jan 01 '13 at 16:01
1

As you said, onclicking back button session is getting invalidate. SO please make session invalidate session on Back button event.

please add "<" ">" for first and lasr line in code snippet 

<script type="text/javascript">

      bajb_backdetect.OnBack = function()
      {

        alert('You clicked it!');

      }

<script>
halfer
  • 19,824
  • 17
  • 99
  • 186
developer
  • 9,116
  • 29
  • 91
  • 150