Title: RE: STRANGE: session.invalidate() is not invalidating the session
I don't remember facing this session.invalidate() not invalidating the session problem when I was using tomcat 3.2.1. Are others who got the same problem using Tomcat 4.0-b7 also?
 
-Nimmi
-----Original Message-----
From: Krueger, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: STRANGE: session.invalidate() is not invalidating the session

You have to go through a action class before your welcome.jsp, but there is a thing called a transaction token.  Is what this does is generates a unique number and puts it in a hidden field on you page if your using a struts form.  Then in your action class that the welcome.jsp submits to you can call isTokenValid.  That will check that hidden field to make sure it is the same number that was generated and put on the page for you in the other action class.  If it is valid then call resetToken and that value will be removed from the session.  If the user backs up and submit the page they will have the old token and when you call isTokenValid you will get false and be able to deal with it as you please.  Hope that helps.
 
Jeff Krueger
 
-----Original Message-----
From: Luna, Katherine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 10:47 AM
To: '[EMAIL PROTECTED]'
Subject: RE: STRANGE: session.invalidate() is not invalidating the session

I also am suffering from this problem.

I have the user object in the session, and each jsp page except the logon.jsp checks the session.  This prevents display of any page EXCEPT the one immediately following the login page (Welcome.jsp).  If the user refreshes Welcome.jsp, IE resubmits the LogonForm containg the username and password, LogonAction accepts these values and 'presto' the user is in again.

Basically, if the user logs out from welcome.jsp, then backs up with the Browser 'Back' button, they can refresh the page and become logged in without re-entering the username and password because these values must be stored in teh request.  I have added the following code to prevent caching of LogonForm (it has scope request according to struts-config.xml)

<%
response.setHeader("pragma","no-cache");
response.setHeader("Cache-Control","no-cache");
response.setHeader("Cache-Control","no-store");
response.addDateHeader("Expires", 0);
response.setDateHeader("max-age", 0);
response.setIntHeader ("Expires", -1); //prevents caching at the proxy server
response.addHeader("cache-Control", "private"); //IE5.x only;
%>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">


but no luck.  Anyone who backs in from a Logout to Welcome.jsp can simply refresh the page and resubmit whatever values were originally entered on the Login page.

This method makes every page except welcome.jsp secure.  Does anyone have any suggestions for removing the values input in LoginForm from the cache??

Kat
 

-----Original Message-----
From: Keith Bacon [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 11:44 AM
To: [EMAIL PROTECTED]
Subject: RE: STRANGE: session.invalidate() is not invalidating the
session


I think there was a recent post dealing with this.

Struts tends to create a new session if there isn't one there. (every
time the action servlet runs I suspect?).

To restrict access to pages you should require the user to be logged
on.
- At logon add some object to the session (I call mine singedOnUser).
- When a page starts (at start of your Action class code) if that
object the user is logged on so you allow access.
Hope that helps
Keith.


--- Shamdasani Nimmi-ANS004 <[EMAIL PROTECTED]> wrote:
> I am under the impression that session.invalidate() should be
> sufficient for logout. The problem that's happening is that I can
> run the whole application again and go to pages that I didn't go to
> before logging out, which means these pages were never in the
> cache.
>
> -Nimmi
>
> -----Original Message-----
> From: SUPRIYA MISRA [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 30, 2001 8:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
>
>
> try adding these lines to the JSP
> <%
>     response.setHeader("Cache-Control","no-store"); //HTTP 1.1
>     response.setHeader("Pragma","no-cache"); //HTTP 1.0
>     response.setDateHeader ("Expires", 0); //prevents caching at
> the proxy
> server
>
> %>
>
>
>
>
> >From: "Dudley Butt@i-Commerce" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> >Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
> >Date: Thu, 30 Aug 2001 10:13:40 +0200
> >
> >i'm having the same problem , please help anyone?
> >
> >-----Original Message-----
> >From: Shamdasani Nimmi-ANS004 [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, August 29, 2001 9:32 PM
> >To: struts-user@jakarta. apache. org (E-mail)
> >Subject: STRANGE: session.invalidate() is not invalidating the
> session
> >
> >
> >Hi,
> >
> >I noticed a peculiar thing. In my application I have a logout link
> on
> >pages.
> >This link control goes to 'Logout' action where I  clean up the
> session
> >variables and then invalidate the session with:
> >
> >session.invalidate();
> >
> >and this class forwards it to Logout.jsp which just has the
> goodbye
> >message.
> >
> >I have noticed that at this point if I keep going back with the
> back key of
> >my browser to the point where jsessionid is part of the URL, i.e.,
> >
>
>http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505D
> >453
> >
> >
> >and do the browser refresh here then I can go back into the
> application
> >without having to log in again. It is as if the session is still
> alive.
> >
> >All the screens(incl. the above URL point) going backwards from
> Logout.jsp
> >do show the page expired message but doing refresh on the above
> URL screen
> >only brings back the application
> >
> >Could someone please explain this to me? Has anyone else seen
> this?
> >
> >BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0
> too)
> >
> >TIA.
> >
> >-Nimmi
> >
> >
>
>**********************************************************************
> >This email and any files transmitted with it are confidential and
> >intended solely for the use of the individual or entity to whom
> they
> >are addressed. If you have received this email in error please
> notify
> >the system manager.
> >
> >This footnote also confirms that this email message has been swept
> by
> >MIMEsweeper for the presence of computer viruses.
> >
> >www.mimesweeper.com
>
>**********************************************************************
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp


__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

Reply via email to