I am having another doubt..regarding logout in jsp....
I want to, redirect the page to login page,or have to display a page showing " the session expired".. if a user enter the a url in my application directly in the browser or he press the back button in the browser after he logged out.....
Can u help me out..with sample coding
hi there,
i have the same issue here. i've written a jsp that simply checks for invalid session attributes. if any of these is null, redirect to login page. hence, i include this jsp within every other pages.
if (session.getAttribute("myAttribute") == null)
{
response.sendRedirect("http://localhost:8080/myWeb/login.jsp");
}
hope this helps?
> hi there,
>
> i have the same issue here. i've written a jsp that
> simply checks for invalid session attributes. if any
> of these is null, redirect to login page. hence, i
> include this jsp within every other pages.
>
> > if (session.getAttribute("myAttribute") == null)
> {
>
> esponse.sendRedirect("http://localhost:8080/myWeb/logi
> n.jsp");
> }
>
>
> hope this helps?
This could be better integreted using a Servlet Filter.
This way, you avoid importing/ including that page in other pages.
And this check is only in one place.
Regards,
Sebastien Degardin
> i have one more doubt in this..
> can i put like this
>
> if (session.getAttribute("myAttribute") == null)
> {
>
> response.sendRedirect("login.jsp");
> }
This seems to be good.
did you try it ?
Regards,
Sebastien Degardin
hey friend,
out of all these advices i cud have adviced you to check up on similar previous posts where we've had similar discurssions.
However,check out the link below where the author discusses some of the popular logout practices followed.
http://www.javaworld.com/javaworld/jw-09-2004/jw-0927-logout.html
and from me i would advice you to follow the following steps.
1).Remove All existing Session attributes & invalidate the session & create & before redirecting it to the login page create a brand new session all together.
Eg:
HttpSession session = request.getSession(false);
java.util.Enumeration enum = session.getAttributeNames();
for (; enum.hasMoreElements(); ) {
String name = (String)enum.nextElement();
session.removeAttribute(name);
}
session.invalidate();
session = request.getSession(true);
2).Stop caching of pages @ clientside.
Eg:
response.setHeader("Cache-Control","no-store");
response.setHeader("Cache-Control","no-cache,post-check=0,pre-check=0");
response.setHeader("Pragma","no-cache");response.setDateHeader("Expires", 0);
response.setDateHeader("max-age", 0);
response.setIntHeader ("Expires", -1);
and it is a good pratice to use meta tags given below in most the JSP pages.
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">
3).And there few thrid party filters which could also be used to make this operation more secure.
makes sure that all these were all done and then try to Redirect the page to the login page.
Please go through the link & implement few of things metioned their by looking at things which are possible for U as of now.
Hop this might be of some help..
Have a wonderful weekend... :)
REGARDS,
RaHuL
Thanks, pal!
That's a great article! I've a question though midway through one of the samples. I've got my logout.jsp a form that asks user to confirm logout. If user pressed the "Yes" button, well, case close. However, since i've disallowed caching for all protected pages, when that user pressed "No", it's as good as logging out because i defined onclick="history.go(-1)"
Did i miss out something crucial here?
Thanks in advance.
