Re: TC3.3m1 Possible bug with session.invalidate
I got around this by just removing j_password and j_username from the sessionid.
HttpSession sessionid = request.getSession(false);
sessionid.removeValue("j_password");
sessionid.removeValue("j_username");
"Dunlop, Aaron" wrote:
I seem to be having a similar problem. My app also uses
session information to track
logins, and calls session.invalidate() when a user logs
out.
So far I'm seeing that if a user starts up a new browser,
logs in, logs out, and attempts to login again as a different user, they
get the session from their first login as if they
had never logged out. Logging off again appears to fix
the problem, and subsequent logins
from the browser work fine. The problem recurs when a
new browser is started.
I don't see any references to this problem in Bugzilla,
so I'll dive into the code and
see what I can find. But if by chance someone has already
fixed this problem somewhere,
please let me know.
---
Environment:
Server:
Tomcat 3.3m1 standalone on Solaris 2.7
IBM JDK 1.2.2
Client:
NT 4.0 SP 5
IE 5.5 or Netscape 4.7 - same symptoms
Thanks,
Aaron Dunlop
[EMAIL PROTECTED]
--
From: [EMAIL PROTECTED]
Hi,
I seem to be having a problem with session.invalidate().
I'm using this for
users to log out of my web site but it seems to take
two attemps before the user
is properly logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP
1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching
at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
Login
test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP
1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching
at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
you are currently logged in as <%= request.getRemoteUser()
%>
Logout
test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP
1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching
at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
<%
session.invalidate ();
%>
<%=request.getSession (false)%>
<%=request.toString()%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
home.
test/jsp/login/login.jsp --- login page used by FORM based
authentication.
Login page
Username:
Password:
The problem occurs like this:
The first time around the request for protected/index.jsp
is detected and you
have to log in.
>From there, access the logout page which does a <%
session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected
page from here --
straight in as still authenticated.
Accessing the log out page again, actually logs out this
time!
Is this a known problem? Any possible work arounds?
Thanks,
Sam.
PS. This work fine on TC3.2.1
Re: TC3.3m1 Possible bug with session.invalidate
Title: Re: TC3.3m1 Possible bug with session.invalidate
The place to look is
src/share/org/apache/tomcat/modules/session/SimpleSessionStore.java. Or,
better, get the latest version of this file since the bug was fixed about two
weeks ago.
- Original Message -
From:
Dunlop,
Aaron
To: '[EMAIL PROTECTED]'
Sent: Tuesday, March 06, 2001 2:11
PM
Subject: Re: TC3.3m1 Possible bug with
session.invalidate
I seem to be having a similar problem. My app also uses
session information to track logins, and calls
session.invalidate() when a user logs out.
So far I'm seeing that if a user starts up a new browser, logs
in, logs out, and attempts to login again as a different user, they get the
session from their first login as if they
had never logged out. Logging off again appears to fix the
problem, and subsequent logins from the browser work
fine. The problem recurs when a new browser is started.
I don't see any references to this problem in Bugzilla, so
I'll dive into the code and see what I can find. But
if by chance someone has already fixed this problem somewhere,
please let me know.
--- Environment:
Server: Tomcat 3.3m1 standalone on
Solaris 2.7 IBM JDK 1.2.2
Client: NT 4.0 SP 5 IE 5.5 or Netscape 4.7 - same symptoms
Thanks, Aaron Dunlop [EMAIL PROTECTED]
--
From: [EMAIL PROTECTED]
Hi,
I seem to be having a problem with session.invalidate(). I'm
using this for users to log out of my web site but it
seems to take two attemps before the user is properly
logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp front page <% response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at
the proxy server %> <%=request.toString()%> <%=request.getSession (false)%> <%=request.getRemoteUser()%> <%=request.getUserPrincipal()%>
Login
test/jsp/protected/index.jsp --- protected page
<% response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at
the proxy server %>
<%=request.toString()%> <%=request.getSession (false)%> you are currently logged in as <%= request.getRemoteUser()
%> Logout
test/jsp/protected/logout.jsp --- logout page <% response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at
the proxy server %> <%=request.toString()%> <%=request.getSession (false)%> <%=request.getRemoteUser()%> <%=request.getUserPrincipal()%> <%
session.invalidate (); %> <%=request.getSession (false)%> <%=request.toString()%> <%=request.getRemoteUser()%> <%=request.getUserPrincipal()%>
home.
test/jsp/login/login.jsp --- login page used by FORM based
authentication. Login page
Username: Password:
The problem occurs like this: The
first time around the request for protected/index.jsp is detected and
you have to log in. >From
there, access the logout page which does a <%
session.invalidate();%>. Then back to
jsp/index.jsp, try and access the protected page from here --
straight in as still authenticated. Accessing the log out page again, actually logs out this time!
Is this a known problem? Any possible work arounds?
Thanks, Sam. PS. This work fine on TC3.2.1
Re: TC3.3m1 Possible bug with session.invalidate
Title: Re: TC3.3m1 Possible bug with session.invalidate
I seem to be having a similar problem. My app also uses session information to track
logins, and calls session.invalidate() when a user logs out.
So far I'm seeing that if a user starts up a new browser, logs in, logs out, and attempts to login again as a different user, they get the session from their first login as if they
had never logged out. Logging off again appears to fix the problem, and subsequent logins
from the browser work fine. The problem recurs when a new browser is started.
I don't see any references to this problem in Bugzilla, so I'll dive into the code and
see what I can find. But if by chance someone has already fixed this problem somewhere,
please let me know.
---
Environment:
Server:
Tomcat 3.3m1 standalone on Solaris 2.7
IBM JDK 1.2.2
Client:
NT 4.0 SP 5
IE 5.5 or Netscape 4.7 - same symptoms
Thanks,
Aaron Dunlop
[EMAIL PROTECTED]
--
From: [EMAIL PROTECTED]
Hi,
I seem to be having a problem with session.invalidate(). I'm using this for
users to log out of my web site but it seems to take two attemps before the user
is properly logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
Login
test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
you are currently logged in as <%= request.getRemoteUser() %>
Logout
test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
<%
session.invalidate ();
%>
<%=request.getSession (false)%>
<%=request.toString()%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
home.
test/jsp/login/login.jsp --- login page used by FORM based authentication.
Login page
Username:
Password:
The problem occurs like this:
The first time around the request for protected/index.jsp is detected and you
have to log in.
>From there, access the logout page which does a <% session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected page from here --
straight in as still authenticated.
Accessing the log out page again, actually logs out this time!
Is this a known problem? Any possible work arounds?
Thanks,
Sam.
PS. This work fine on TC3.2.1
TC3.3m1 Possible bug with session.invalidate?
Hi,
I seem to be having a problem with session.invalidate(). I'm using this for
users to log out of my web site but it seems to take two attemps before the user
is properly logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
Login
test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
you are currently logged in as <%= request.getRemoteUser() %>
Logout
test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<%=request.toString()%>
<%=request.getSession (false)%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
<%
session.invalidate ();
%>
<%=request.getSession (false)%>
<%=request.toString()%>
<%=request.getRemoteUser()%>
<%=request.getUserPrincipal()%>
home.
test/jsp/login/login.jsp --- login page used by FORM based authentication.
Login page
Username:
Password:
The problem occurs like this:
The first time around the request for protected/index.jsp is detected and you
have to log in.
>From there, access the logout page which does a <% session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected page from here --
straight in as still authenticated.
Accessing the log out page again, actually logs out this time!
Is this a known problem? Any possible work arounds?
Thanks,
Sam.
PS. This work fine on TC3.2.1
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
