Martin,
Thanks for your response. I will first try #1 approach in your email. But I have a
question - where would one put session=false (struts-config.xml file or the action)
for logout or logon?
Thanks.
-Nimmi
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 11:15 PM
To: [EMAIL PROTECTED]
Subject: Re: STRANGE: session.invalidate() is not invalidating the
session
There are a couple of things going on here.
1) I believe the session.invalidate() is working as it should. However, a
new session is being created for you after you invalidate the original one.
This would happen either because you forgot to put session="false" in your
logout page, or when the logon request is resubmitted.
2) The logon request, including the username and password, is saved in the
browser history, which is why you can back up to it and resubmit it (which
is what a refresh does).
The solution, as Jeff Krueger pointed out, is transactional tokens. In the
action which returns your logon page, you call saveToken() before forwarding
to the logon JSP. Then, in the action which processes the logon request
itself, you call isTokenValid(). This method will return true if the request
came from the form you just returned, and false if it came from some other
form, such as one previously cached by the browser. (Be sure to call
resetToken() after checking, to clean up.)
--
Martin Cooper
----- Original Message -----
From: "Shamdasani Nimmi-ANS004" <[EMAIL PROTECTED]>
To: "struts-user@jakarta. apache. org (E-mail)"
<[EMAIL PROTECTED]>
Sent: Wednesday, August 29, 2001 12:32 PM
Subject: STRANGE: session.invalidate() is not invalidating the session
> Hi,
>
> I noticed a peculiar thing. In my application I have a logout link on
pages. This link control goes to 'Logout' action where I clean up the
session variables and then invalidate the session with:
>
> session.invalidate();
>
> and this class forwards it to Logout.jsp which just has the goodbye
message.
>
> I have noticed that at this point if I keep going back with the back key
of my browser to the point where jsessionid is part of the URL, i.e.,
>
>
http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505D
453
>
>
> and do the browser refresh here then I can go back into the application
without having to log in again. It is as if the session is still alive.
>
> All the screens(incl. the above URL point) going backwards from Logout.jsp
do show the page expired message but doing refresh on the above URL screen
only brings back the application
>
> Could someone please explain this to me? Has anyone else seen this?
>
> BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0 too)
>
> TIA.
>
> -Nimmi
>
