struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luna, Katherine" <Kat.L...@emergis.com>
Subject RE: STRANGE: session.invalidate() is not invalidating the session
Date Thu, 30 Aug 2001 16:47:27 GMT
I also am suffering from this problem.

I have the user object in the session, and each jsp page except the
logon.jsp checks the session.  This prevents display of any page EXCEPT the
one immediately following the login page (Welcome.jsp).  If the user
refreshes Welcome.jsp, IE resubmits the LogonForm containg the username and
password, LogonAction accepts these values and 'presto' the user is in
again.

Basically, if the user logs out from welcome.jsp, then backs up with the
Browser 'Back' button, they can refresh the page and become logged in
without re-entering the username and password because these values must be
stored in teh request.  I have added the following code to prevent caching
of LogonForm (it has scope request according to struts-config.xml)

<%
response.setHeader("pragma","no-cache"); 
response.setHeader("Cache-Control","no-cache"); 
response.setHeader("Cache-Control","no-store");
response.addDateHeader("Expires", 0);
response.setDateHeader("max-age", 0);
response.setIntHeader ("Expires", -1); //prevents caching at the proxy
server
response.addHeader("cache-Control", "private"); //IE5.x only; 
%>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">


but no luck.  Anyone who backs in from a Logout to Welcome.jsp can simply
refresh the page and resubmit whatever values were originally entered on the
Login page.

This method makes every page except welcome.jsp secure.  Does anyone have
any suggestions for removing the values input in LoginForm from the cache??

Kat
 

-----Original Message-----
From: Keith Bacon [mailto:keithbacon@yahoo.com]
Sent: Thursday, August 30, 2001 11:44 AM
To: struts-user@jakarta.apache.org
Subject: RE: STRANGE: session.invalidate() is not invalidating the
session


I think there was a recent post dealing with this.

Struts tends to create a new session if there isn't one there. (every
time the action servlet runs I suspect?).

To restrict access to pages you should require the user to be logged
on.
- At logon add some object to the session (I call mine singedOnUser).
- When a page starts (at start of your Action class code) if that
object the user is logged on so you allow access.
Hope that helps
Keith.


--- Shamdasani Nimmi-ANS004 <ANS004@motorola.com> wrote:
> I am under the impression that session.invalidate() should be
> sufficient for logout. The problem that's happening is that I can
> run the whole application again and go to pages that I didn't go to
> before logging out, which means these pages were never in the
> cache.
> 
> -Nimmi
> 
> -----Original Message-----
> From: SUPRIYA MISRA [mailto:supriya_misra@hotmail.com]
> Sent: Thursday, August 30, 2001 8:07 AM
> To: struts-user@jakarta.apache.org
> Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
> 
> 
> try adding these lines to the JSP
> <%
>     response.setHeader("Cache-Control","no-store"); //HTTP 1.1
>     response.setHeader("Pragma","no-cache"); //HTTP 1.0
>     response.setDateHeader ("Expires", 0); //prevents caching at
> the proxy 
> server
> 
> %>
> 
> 
> 
> 
> >From: "Dudley Butt@i-Commerce" <Dudley.Butt@za.didata.com>
> >Reply-To: struts-user@jakarta.apache.org
> >To: "'struts-user@jakarta.apache.org'"
> <struts-user@jakarta.apache.org>
> >Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
> >Date: Thu, 30 Aug 2001 10:13:40 +0200
> >
> >i'm having the same problem , please help anyone?
> >
> >-----Original Message-----
> >From: Shamdasani Nimmi-ANS004 [mailto:ANS004@motorola.com]
> >Sent: Wednesday, August 29, 2001 9:32 PM
> >To: struts-user@jakarta. apache. org (E-mail)
> >Subject: STRANGE: session.invalidate() is not invalidating the
> session
> >
> >
> >Hi,
> >
> >I noticed a peculiar thing. In my application I have a logout link
> on 
> >pages.
> >This link control goes to 'Logout' action where I  clean up the
> session
> >variables and then invalidate the session with:
> >
> >session.invalidate();
> >
> >and this class forwards it to Logout.jsp which just has the
> goodbye 
> >message.
> >
> >I have noticed that at this point if I keep going back with the
> back key of
> >my browser to the point where jsessionid is part of the URL, i.e.,
> >
>
>http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505
D
> >453
> >
> >
> >and do the browser refresh here then I can go back into the
> application
> >without having to log in again. It is as if the session is still
> alive.
> >
> >All the screens(incl. the above URL point) going backwards from
> Logout.jsp
> >do show the page expired message but doing refresh on the above
> URL screen
> >only brings back the application
> >
> >Could someone please explain this to me? Has anyone else seen
> this?
> >
> >BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0
> too)
> >
> >TIA.
> >
> >-Nimmi
> >
> >
>
>**********************************************************************
> >This email and any files transmitted with it are confidential and
> >intended solely for the use of the individual or entity to whom
> they
> >are addressed. If you have received this email in error please
> notify
> >the system manager.
> >
> >This footnote also confirms that this email message has been swept
> by
> >MIMEsweeper for the presence of computer viruses.
> >
> >www.mimesweeper.com
>
>**********************************************************************
> 
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp


__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

Mime
View raw message