...

View Full Version : logout session



tech99sri
04-18-2008, 05:34 PM
I have a filter to control the session of my application.when the user logs in he will be able to access all the jsp pages .
Problem--- Even after user logs out , he is able to directly access the jsp pages , by typing the url .(but before loggin in he would be redirected to login page if
he tries to access any jsp page directly)
What should I do to avoid this problem , (ie when the user hits the "logout" he should not be able to directly access the jsp pages any more , he needs to be redirected again to login page.)


I am actually just using a logout link , (its a href tht redirects the page to the login.jsp ) , I cannot invalidate the session here.(ie I cannot create a seperate jsp page for the logout -- how do I I invalidate the sesion here?)
So when the user hits this logout link he is redirected to the login page.
But after tht when he enters the url directly he is able to directly access the pages.



please provide soln
thanks

Stooshie
04-18-2008, 06:22 PM
I'm not sure that relying on session variables alone will work (the user's browser will still have the same session id).

You will need to set a cookie containing some unique hash for that user (when they log in) and then clear that cookie when they log out again. Check for that cookie at the top of every page and if you can't find it, redirect the user.

I usually use PHP so I am not up on the proper syntax for JSP but the priniciple should be the same.

shyam
04-19-2008, 05:19 PM
I am actually just using a logout link , (its a href tht redirects the page to the login.jsp ) , I cannot invalidate the session here.(ie I cannot create a seperate jsp page for the logout -- how do I I invalidate the sesion here?)
So when the user hits this logout link he is redirected to the login page.
But after tht when he enters the url directly he is able to directly access the pages.

without invalidating the session (or atleast removing the relevant attributes that keep track of the current user) you cannot logout a user...simply redirecting isn't a logout....if you cannot create a separate page for logout then you can invalidate the session in the login.jsp

tech99sri
04-23-2008, 07:22 PM
But how do I do that in the login.jsp page??
I redirect the logout link to the login.jsp page.
Does'nt this invalidate the session when the user is still logged in??
Please reply
thanks



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum