Before I invalidate a session I remove all user session objects and at the top of each
JSP I check that the user is logged on(i.e., check for an object in session).
If I typein a URL with any JSP it brings up the Logon screen as it should do but if I
go back in browser history to the screen whose URL contains the jsessionid info then I
go right back into the application.
-----Original Message-----
From: Keith Bacon [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 10:44 AM
To: [EMAIL PROTECTED]
Subject: RE: STRANGE: session.invalidate() is not invalidating the
session
I think there was a recent post dealing with this.
Struts tends to create a new session if there isn't one there. (every
time the action servlet runs I suspect?).
To restrict access to pages you should require the user to be logged
on.
- At logon add some object to the session (I call mine singedOnUser).
- When a page starts (at start of your Action class code) if that
object the user is logged on so you allow access.
Hope that helps
Keith.
--- Shamdasani Nimmi-ANS004 <[EMAIL PROTECTED]> wrote:
> I am under the impression that session.invalidate() should be
> sufficient for logout. The problem that's happening is that I can
> run the whole application again and go to pages that I didn't go to
> before logging out, which means these pages were never in the
> cache.
>
> -Nimmi
>
> -----Original Message-----
> From: SUPRIYA MISRA [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 30, 2001 8:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
>
>
> try adding these lines to the JSP
> <%
> response.setHeader("Cache-Control","no-store"); //HTTP 1.1
> response.setHeader("Pragma","no-cache"); //HTTP 1.0
> response.setDateHeader ("Expires", 0); //prevents caching at
> the proxy
> server
>
> %>
>
>
>
>
> >From: "Dudley Butt@i-Commerce" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> >Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
> >Date: Thu, 30 Aug 2001 10:13:40 +0200
> >
> >i'm having the same problem , please help anyone?
> >
> >-----Original Message-----
> >From: Shamdasani Nimmi-ANS004 [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, August 29, 2001 9:32 PM
> >To: struts-user@jakarta. apache. org (E-mail)
> >Subject: STRANGE: session.invalidate() is not invalidating the
> session
> >
> >
> >Hi,
> >
> >I noticed a peculiar thing. In my application I have a logout link
> on
> >pages.
> >This link control goes to 'Logout' action where I clean up the
> session
> >variables and then invalidate the session with:
> >
> >session.invalidate();
> >
> >and this class forwards it to Logout.jsp which just has the
> goodbye
> >message.
> >
> >I have noticed that at this point if I keep going back with the
> back key of
> >my browser to the point where jsessionid is part of the URL, i.e.,
> >
>
>http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505D
> >453
> >
> >
> >and do the browser refresh here then I can go back into the
> application
> >without having to log in again. It is as if the session is still
> alive.
> >
> >All the screens(incl. the above URL point) going backwards from
> Logout.jsp
> >do show the page expired message but doing refresh on the above
> URL screen
> >only brings back the application
> >
> >Could someone please explain this to me? Has anyone else seen
> this?
> >
> >BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0
> too)
> >
> >TIA.
> >
> >-Nimmi
> >
> >
>
>**********************************************************************
> >This email and any files transmitted with it are confidential and
> >intended solely for the use of the individual or entity to whom
> they
> >are addressed. If you have received this email in error please
> notify
> >the system manager.
> >
> >This footnote also confirms that this email message has been swept
> by
> >MIMEsweeper for the presence of computer viruses.
> >
> >www.mimesweeper.com
>
>**********************************************************************
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
