RE: STRANGE: session.invalidate() is not invalidating the = session

Return-Path: Delivered-To: apmail-jakarta-struts-user-archive@jakarta.apache.org Received: (qmail 4874 invoked by uid 500); 30 Aug 2001 16:47:32 -0000 Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk Reply-To: struts-user@jakarta.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list struts-user@jakarta.apache.org Received: (qmail 4859 invoked from network); 30 Aug 2001 16:47:31 -0000 Received: from pmamtsi1.mtl.bceemergis.com (192.139.197.95) by daedalus.apache.org with SMTP; 30 Aug 2001 16:47:31 -0000 Received: from mail-mpact-net.mpact.net (mail.mpact.net [204.19.168.201]) by pmamtsi1.mtl.bceemergis.com (8.9.3+Sun/8.9.3) with ESMTP id MAA10301 for ; Thu, 30 Aug 2001 12:47:31 -0400 (EDT) Received: by mail.mpact.net with Internet Mail Service (5.5.2650.21) id ; Thu, 30 Aug 2001 12:47:28 -0400 Message-ID: <977C9ED33C63D411B1B400508BAC910601596BAE@misa-cluster.bceemergis.com> From: "Luna, Katherine" To: "'struts-user@jakarta.apache.org'" Subject: RE: STRANGE: session.invalidate() is not invalidating the session Date: Thu, 30 Aug 2001 12:47:27 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C13173.73E8B478" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C13173.73E8B478 Content-Type: text/plain; charset="iso-8859-1" I also am suffering from this problem. I have the user object in the session, and each jsp page except the logon.jsp checks the session. This prevents display of any page EXCEPT the one immediately following the login page (Welcome.jsp). If the user refreshes Welcome.jsp, IE resubmits the LogonForm containg the username and password, LogonAction accepts these values and 'presto' the user is in again. Basically, if the user logs out from welcome.jsp, then backs up with the Browser 'Back' button, they can refresh the page and become logged in without re-entering the username and password because these values must be stored in teh request. I have added the following code to prevent caching of LogonForm (it has scope request according to struts-config.xml) <% response.setHeader("pragma","no-cache"); response.setHeader("Cache-Control","no-cache"); response.setHeader("Cache-Control","no-store"); response.addDateHeader("Expires", 0); response.setDateHeader("max-age", 0); response.setIntHeader ("Expires", -1); //prevents caching at the proxy server response.addHeader("cache-Control", "private"); //IE5.x only; %> but no luck. Anyone who backs in from a Logout to Welcome.jsp can simply refresh the page and resubmit whatever values were originally entered on the Login page. This method makes every page except welcome.jsp secure. Does anyone have any suggestions for removing the values input in LoginForm from the cache?? Kat -----Original Message----- From: Keith Bacon [mailto:keithbacon@yahoo.com] Sent: Thursday, August 30, 2001 11:44 AM To: struts-user@jakarta.apache.org Subject: RE: STRANGE: session.invalidate() is not invalidating the session I think there was a recent post dealing with this. Struts tends to create a new session if there isn't one there. (every time the action servlet runs I suspect?). To restrict access to pages you should require the user to be logged on. - At logon add some object to the session (I call mine singedOnUser). - When a page starts (at start of your Action class code) if that object the user is logged on so you allow access. Hope that helps Keith. --- Shamdasani Nimmi-ANS004 wrote: > I am under the impression that session.invalidate() should be > sufficient for logout. The problem that's happening is that I can > run the whole application again and go to pages that I didn't go to > before logging out, which means these pages were never in the > cache. > > -Nimmi > > -----Original Message----- > From: SUPRIYA MISRA [mailto:supriya_misra@hotmail.com] > Sent: Thursday, August 30, 2001 8:07 AM > To: struts-user@jakarta.apache.org > Subject: RE: STRANGE: session.invalidate() is not invalidating the > session > > > try adding these lines to the JSP > <% > response.setHeader("Cache-Control","no-store"); //HTTP 1.1 > response.setHeader("Pragma","no-cache"); //HTTP 1.0 > response.setDateHeader ("Expires", 0); //prevents caching at > the proxy > server > > %> > > > > > >From: "Dudley Butt@i-Commerce" > >Reply-To: struts-user@jakarta.apache.org > >To: "'struts-user@jakarta.apache.org'" > > >Subject: RE: STRANGE: session.invalidate() is not invalidating the > session > >Date: Thu, 30 Aug 2001 10:13:40 +0200 > > > >i'm having the same problem , please help anyone? > > > >-----Original Message----- > >From: Shamdasani Nimmi-ANS004 [mailto:ANS004@motorola.com] > >Sent: Wednesday, August 29, 2001 9:32 PM > >To: struts-user@jakarta. apache. org (E-mail) > >Subject: STRANGE: session.invalidate() is not invalidating the > session > > > > > >Hi, > > > >I noticed a peculiar thing. In my application I have a logout link > on > >pages. > >This link control goes to 'Logout' action where I clean up the > session > >variables and then invalidate the session with: > > > >session.invalidate(); > > > >and this class forwards it to Logout.jsp which just has the > goodbye > >message. > > > >I have noticed that at this point if I keep going back with the > back key of > >my browser to the point where jsessionid is part of the URL, i.e., > > > >http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505 D > >453 > > > > > >and do the browser refresh here then I can go back into the > application > >without having to log in again. It is as if the session is still > alive. > > > >All the screens(incl. the above URL point) going backwards from > Logout.jsp > >do show the page expired message but doing refresh on the above > URL screen > >only brings back the application > > > >Could someone please explain this to me? Has anyone else seen > this? > > > >BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0 > too) > > > >TIA. > > > >-Nimmi > > > > > >********************************************************************** > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom > they > >are addressed. If you have received this email in error please > notify > >the system manager. > > > >This footnote also confirms that this email message has been swept > by > >MIMEsweeper for the presence of computer viruses. > > > >www.mimesweeper.com > >********************************************************************** > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ------_=_NextPart_001_01C13173.73E8B478 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: STRANGE: session.invalidate() is not invalidating the = session

I also am suffering from this problem.

I have the user object in the session, and each jsp = page except the logon.jsp checks the session. This prevents = display of any page EXCEPT the one immediately following the login page = (Welcome.jsp). If the user refreshes Welcome.jsp, IE resubmits = the LogonForm containg the username and password, LogonAction accepts = these values and 'presto' the user is in again.

Basically, if the user logs out from welcome.jsp, = then backs up with the Browser 'Back' button, they can refresh the page = and become logged in without re-entering the username and password = because these values must be stored in teh request. I have added = the following code to prevent caching of LogonForm (it has scope = request according to struts-config.xml)

<%
response.setHeader("pragma","no-cache"); =
response.setHeader("Cache-Control","no-cache&quo= t;);
response.setHeader("Cache-Control","no-store&quo= t;);
response.addDateHeader("Expires", = 0);
response.setDateHeader("max-age", = 0);
response.setIntHeader ("Expires", -1); = //prevents caching at the proxy server
response.addHeader("cache-Control", = "private"); //IE5.x only;
%>
<meta http-equiv=3D"pragma" = content=3D"no-cache">
<meta http-equiv=3D"expires" = content=3D"0">

but no luck. Anyone who backs in from a Logout = to Welcome.jsp can simply refresh the page and resubmit whatever values = were originally entered on the Login page.

This method makes every page except welcome.jsp = secure. Does anyone have any suggestions for removing the values = input in LoginForm from the cache??

Kat

-----Original Message-----
From: Keith Bacon [mailto:keithbacon@yahoo.com]
Sent: Thursday, August 30, 2001 11:44 AM
To: struts-user@jakarta.apache.org
Subject: RE: STRANGE: session.invalidate() is not = invalidating the
session

I think there was a recent post dealing with = this.

Struts tends to create a new session if there isn't = one there. (every
time the action servlet runs I suspect?).

To restrict access to pages you should require the = user to be logged
on.
- At logon add some object to the session (I call = mine singedOnUser).
- When a page starts (at start of your Action class = code) if that
object the user is logged on so you allow = access.
Hope that helps
Keith.

--- Shamdasani Nimmi-ANS004 = <ANS004@motorola.com> wrote:
> I am under the impression that = session.invalidate() should be
> sufficient for logout. The problem that's = happening is that I can
> run the whole application again and go to pages = that I didn't go to
> before logging out, which means these pages = were never in the
> cache.
>
> -Nimmi
>
> -----Original Message-----
> From: SUPRIYA MISRA [mailto:supriya_misra@hotmail.c= om]
> Sent: Thursday, August 30, 2001 8:07 AM
> To: struts-user@jakarta.apache.org
> Subject: RE: STRANGE: session.invalidate() is = not invalidating the
> session
>
>
> try adding these lines to the JSP
> <%
>     = response.setHeader("Cache-Control","no-store"); = //HTTP 1.1
>     = response.setHeader("Pragma","no-cache"); //HTTP = 1.0
>     response.setDateHeader = ("Expires", 0); //prevents caching at
> the proxy
> server
>
> %>
>
>
>
>
> >From: "Dudley Butt@i-Commerce" = <Dudley.Butt@za.didata.com>
> >Reply-To: = struts-user@jakarta.apache.org
> >To: = "'struts-user@jakarta.apache.org'"
> <struts-user@jakarta.apache.org>
> >Subject: RE: STRANGE: session.invalidate() = is not invalidating the
> session
> >Date: Thu, 30 Aug 2001 10:13:40 = +0200
> >
> >i'm having the same problem , please help = anyone?
> >
> >-----Original Message-----
> >From: Shamdasani Nimmi-ANS004 [mailto:ANS004@motorola.com]
> >Sent: Wednesday, August 29, 2001 9:32 = PM
> >To: struts-user@jakarta. apache. org = (E-mail)
> >Subject: STRANGE: session.invalidate() is = not invalidating the
> session
> >
> >
> >Hi,
> >
> >I noticed a peculiar thing. In my = application I have a logout link
> on
> >pages.
> >This link control goes to 'Logout' action = where I clean up the
> session
> >variables and then invalidate the session = with:
> >
> >session.invalidate();
> >
> >and this class forwards it to Logout.jsp = which just has the
> goodbye
> >message.
> >
> >I have noticed that at this point if I keep = going back with the
> back key of
> >my browser to the point where jsessionid is = part of the URL, i.e.,
> >
>
>http://localhost:8080/msqc/logon.do;jsessionid=3D14906= 2E2E0A77480075991317505D
> >453
> >
> >
> >and do the browser refresh here then I can = go back into the
> application
> >without having to log in again. It is as if = the session is still
> alive.
> >
> >All the screens(incl. the above URL point) = going backwards from
> Logout.jsp
> >do show the page expired message but doing = refresh on the above
> URL screen
> >only brings back the application
> >
> >Could someone please explain this to me? = Has anyone else seen
> this?
> >
> >BTW I am using Tomcat 4.0 and Struts = 1.1(same happens with 1.0
> too)
> >
> >TIA.
> >
> >-Nimmi
> >
> >
>
>***********************************************************= ***********
> >This email and any files transmitted with = it are confidential and
> >intended solely for the use of the = individual or entity to whom
> they
> >are addressed. If you have received this = email in error please
> notify
> >the system manager.
> >
> >This footnote also confirms that this email = message has been swept
> by
> >MIMEsweeper for the presence of computer = viruses.
> >
> >www.mimesweeper.com
>
>***********************************************************= ***********
>
>
> = _________________________________________________________________=
> Get your FREE download of MSN Explorer = at
http://explorer.msn.com/intl.asp

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant = messaging with Yahoo! Messenger
http://im.yahoo.com

------_=_NextPart_001_01C13173.73E8B478--