Hi,
I seem to be having a problem with session.invalidate(). I'm using this for
users to log out of my web site but it seems to take two attemps before the user
is properly logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp ---- front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<h2><a href="protected/index.jsp">Login</a><h2>
</body>
</html>
test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<h2>you are currently logged in as <%= request.getRemoteUser() %></h2>
<h3><a href="logout.jsp">Logout</a></h3>
</body>
</html>
test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<%
session.invalidate ();
%>
<%=request.getSession (false)%><br>
<%=request.toString()%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<a href="../index.jsp">home</a>.
</body>
</html>
test/jsp/login/login.jsp --- login page used by FORM based authentication.
<html>
<body>
<h1>Login page </h1>
<form method="POST" action="j_security_check" >
Username: <input type="text" name="j_username"><br>
Password: <input type="password" name="j_password"><br>
<br>
<input type="submit" value="login" name="j_security_check">
</form>
</body>
</html>
The problem occurs like this:
The first time around the request for protected/index.jsp is detected and you
have to log in.
>From there, access the logout page which does a <% session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected page from here ------
straight in as still authenticated.
Accessing the log out page again, actually logs out this time!
Is this a known problem? Any possible work arounds?
Thanks,
Sam.
PS. This work fine on TC3.2.1
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
