Hi,
The problem is that the stuff in the session is removed, but the session is
still there, which fools the checking routines into thinking the user has a
valid session, even though it won't work as the objects that should be in
the session are missing.
It isn't a security issue, just a niggle with IPlanet, when I invalidate the
session I want it to go away.
Pete
> -----Original Message-----
> From: Conor D'Arcy [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 18, 2000 3:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: IPlanet 4.1 and Sessions
>
>
> >
> > 1. A user logs in and details are stored in the session, the
> > session is
> > checked in every servlet to see if it is null and therefore
> > if access should
> > be allowed.
> >
> > 2. The user does some stuff then logs out, the logout servlet uses
> > session.invalidate() to prevent anyone using the back button
> > to get back
> > into the system.
> >
> Maybe I've misreead the problem, but would it help to
> explicitly set all the
> session variables to null just before calling
> session.invalidate() ? Then
> the session hanging around wouldn't hold any sensitive data.
>
> ______________________________________________________________
> _____________
> To unsubscribe, send email to [EMAIL PROTECTED] and
> include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources:
http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
