-----Original Message-----
From: Shamdasani Nimmi-ANS004 [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 2:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: STRANGE: session.invalidate() is not invalidating the sessionI don't remember facing this session.invalidate() not invalidating the session problem when I was using tomcat 3.2.1. Are others who got the same problem using Tomcat 4.0-b7 also?-Nimmi-----Original Message-----
From: Krueger, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: STRANGE: session.invalidate() is not invalidating the sessionYou have to go through a action class before your welcome.jsp, but there is a thing called a transaction token. Is what this does is generates a unique number and puts it in a hidden field on you page if your using a struts form. Then in your action class that the welcome.jsp submits to you can call isTokenValid. That will check that hidden field to make sure it is the same number that was generated and put on the page for you in the other action class. If it is valid then call resetToken and that value will be removed from the session. If the user backs up and submit the page they will have the old token and when you call isTokenValid you will get false and be able to deal with it as you please. Hope that helps.Jeff Krueger-----Original Message-----
From: Luna, Katherine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 10:47 AM
To: '[EMAIL PROTECTED]'
Subject: RE: STRANGE: session.invalidate() is not invalidating the sessionI also am suffering from this problem.
I have the user object in the session, and each jsp page except the logon.jsp checks the session. This prevents display of any page EXCEPT the one immediately following the login page (Welcome.jsp). If the user refreshes Welcome.jsp, IE resubmits the LogonForm containg the username and password, LogonAction accepts these values and 'presto' the user is in again.
Basically, if the user logs out from welcome.jsp, then backs up with the Browser 'Back' button, they can refresh the page and become logged in without re-entering the username and password because these values must be stored in teh request. I have added the following code to prevent caching of LogonForm (it has scope request according to struts-config.xml)
<%
response.setHeader("pragma","no-cache");
response.setHeader("Cache-Control","no-cache");
response.setHeader("Cache-Control","no-store");
response.addDateHeader("Expires", 0);
response.setDateHeader("max-age", 0);
response.setIntHeader ("Expires", -1); //prevents caching at the proxy server
response.addHeader("cache-Control", "private"); //IE5.x only;
%>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">
but no luck. Anyone who backs in from a Logout to Welcome.jsp can simply refresh the page and resubmit whatever values were originally entered on the Login page.
This method makes every page except welcome.jsp secure. Does anyone have any suggestions for removing the values input in LoginForm from the cache??
Kat
-----Original Message-----
From: Keith Bacon [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 11:44 AM
To: [EMAIL PROTECTED]
Subject: RE: STRANGE: session.invalidate() is not invalidating the
session
I think there was a recent post dealing with this.
Struts tends to create a new session if there isn't one there. (every
time the action servlet runs I suspect?).To restrict access to pages you should require the user to be logged
on.
- At logon add some object to the session (I call mine singedOnUser).
- When a page starts (at start of your Action class code) if that
object the user is logged on so you allow access.
Hope that helps
Keith.
--- Shamdasani Nimmi-ANS004 <[EMAIL PROTECTED]> wrote:
> I am under the impression that session.invalidate() should be
> sufficient for logout. The problem that's happening is that I can
> run the whole application again and go to pages that I didn't go to
> before logging out, which means these pages were never in the
> cache.
>
> -Nimmi
>
> -----Original Message-----
> From: SUPRIYA MISRA [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 30, 2001 8:07 AM
> To: [EMAIL PROTECTED]
> Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
>
>
> try adding these lines to the JSP
> <%
> response.setHeader("Cache-Control","no-store"); //HTTP 1.1
> response.setHeader("Pragma","no-cache"); //HTTP 1.0
> response.setDateHeader ("Expires", 0); //prevents caching at
> the proxy
> server
>
> %>
>
>
>
>
> >From: "Dudley Butt@i-Commerce" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> >Subject: RE: STRANGE: session.invalidate() is not invalidating the
> session
> >Date: Thu, 30 Aug 2001 10:13:40 +0200
> >
> >i'm having the same problem , please help anyone?
> >
> >-----Original Message-----
> >From: Shamdasani Nimmi-ANS004 [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, August 29, 2001 9:32 PM
> >To: struts-user@jakarta. apache. org (E-mail)
> >Subject: STRANGE: session.invalidate() is not invalidating the
> session
> >
> >
> >Hi,
> >
> >I noticed a peculiar thing. In my application I have a logout link
> on
> >pages.
> >This link control goes to 'Logout' action where I clean up the
> session
> >variables and then invalidate the session with:
> >
> >session.invalidate();
> >
> >and this class forwards it to Logout.jsp which just has the
> goodbye
> >message.
> >
> >I have noticed that at this point if I keep going back with the
> back key of
> >my browser to the point where jsessionid is part of the URL, i.e.,
> >
>
>http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505D
> >453
> >
> >
> >and do the browser refresh here then I can go back into the
> application
> >without having to log in again. It is as if the session is still
> alive.
> >
> >All the screens(incl. the above URL point) going backwards from
> Logout.jsp
> >do show the page expired message but doing refresh on the above
> URL screen
> >only brings back the application
> >
> >Could someone please explain this to me? Has anyone else seen
> this?
> >
> >BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0
> too)
> >
> >TIA.
> >
> >-Nimmi
> >
> >
>
>**********************************************************************
> >This email and any files transmitted with it are confidential and
> >intended solely for the use of the individual or entity to whom
> they
> >are addressed. If you have received this email in error please
> notify
> >the system manager.
> >
> >This footnote also confirms that this email message has been swept
> by
> >MIMEsweeper for the presence of computer viruses.
> >
> >www.mimesweeper.com
>
>**********************************************************************
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
Title: RE: STRANGE: session.invalidate() is not invalidating the session
I take
it back. I went back to tomcat 3.2.1 and it has the same problem. One thing
I did find was that if you went back to the screen with jsessionid in URL using
browser back and if that screen has any links, etc. and you clicked
that link you get NullPointerException. But if you just did browser refresh
the links start working again.
Craig,
if you read this email then could you please explain this session returning back
situation.
TIA
-Nimmi
