tags:

views:

12

answers:

1
Q: 

Session invalidation in FF , Tomcat

Hi

I am using Tomcat web container. I have an admin console app implemented. When I click on logout a session attribute is made null and invalidated see the below code in my logout.jsp file. After logout the user is taken to the login page. In fireFox I click back button I have the below issues. First I do not get page expired page like in IE Second when I click on any of the link in the page , I check for the sessioon attribute which I made null in logout. The value of that is "success". I am totally confused with this behaviour. Is it issue with firefox or tomcat session management.

I am sure I need more knowledge to understand this behaviour. Appreciate your help in letting me know what happens here...

<%@ page session="false" %>
<%
response.setHeader("cache-control","no-cache");
response.setHeader("Pragma","no-cache");
response.setDateHeader("Expires",-1);

%>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <% 
    HttpSession session = request.getSession(false);
    System.out.println("session"+session);
    session.setAttribute("loginStatus",null);
    session.invalidate();
  %>
A: 

The headers are incomplete. You need the following set of headers:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

Escpecially the must-revalidate entry fixes this particular FF issue.

See also

Unrelated to the actual problem, I've a few comments about this piece of code:

  • You should prefer UTF-8 over ISO-8859-1 to gain world domination.
  • Raw Java code in a JSP page is poor practice. The response headers needs to be set in a Filter and the logout needs to happen (indirectly) in a Servlet.
  • Calling getSession(false) with false may return a null session which in turn can lead to a NullPointerException in certain circumstances. Get rid of false or at least add a nullcheck.
  • Setting attribute to null right before calling invalidate() is unnecessary. The invalidate() call already trashes all the attribtues.

Hope you learn something from this.

BalusC  2010-08-30 11:21:42
Hi BalusC, Thank you for sharing your expertise and kind advise. I am thank ful to you.
 2010-09-07 07:17:59

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?