instead of doing this, on your logout confirm JSP, use a meta expires tag to kill everything, then back will not function.
http://www.htmlhelp.com/reference/wilbur/head/meta.html > -----Original Message----- > From: Chris Chappell [mailto:[EMAIL PROTECTED] > Sent: 02 December 2004 11:52 > To: [EMAIL PROTECTED] > Subject: Re: LogOut from JDBC Realm > > > Hi there - > > Thanks for the responses and sorry to get back to this - I > haven't made any progress and have had other problems > (challenges?) to fix first! > > I have a link to a logout servlet with the doGet() method below. > Using eclipse debugging shows that the session > "isValid=false" on invalidate correctly. > > However clicking "back" on the browser creates a new session > (with "isValid=true")in my session handling function called > from every page (except logout): > > public static HttpSession setSessionData (HttpServletRequest request) > { > HttpSession session = request.getSession(true); > if (session.getAttribute("viewmode") ==null) > session.setAttribute("viewmode", "B"); > ... > } > > So it doesn't seem that invalidate() is destroying the > authentication - only clearing a session which can be recreated. > Should I check if the session is invalid and forward to my > logout page if so, or is there a way of invalidating the login info? > > Can anyone shed some photons on this. > > TC :5.0.19, Solaris 9, Mysql 4.something - JDBC Realm, SSL + > filter giving Cache-Control - private,no-cache,no-store > > Chris Chappell > > > public void doGet(HttpServletRequest request, > HttpServletResponse response) throws ServletException, IOException { > > response.setContentType("text/html"); > PrintWriter out = response.getWriter(); > HttpSession session = request.getSession(); > session.invalidate(); > out.println(GeneralUI.htmlHeader()); > out.println("<table width=100%><tr height=200 > valign=center><td align=center>Goodbye - you are now logged > out</td></tr></table>"); > out.println(GeneralUI.htmlFooter()); > return; > } > > > > > On Tuesday 23 November 2004 17:09, Chris Chappell wrote: > > Hi there > > Hi, > > > Can anyone give me a pointer how to logout a JDBC Realm > authenticated user > > without closing the browser. E.g. I need a log out button > which forwards to > > a goodbye page and does something like this (fictitious) > > "userSession.expire();" I've had a trawl thriough the docs > etc and nothing > > springs to obvious use. Using SSL though don't think this > would change > > anything re this. > > Just include this: <% session.invalidate(); %> it works on > both 8080 (normal) > and 8443 (ssl) connections. > > > (TC 5.0.19 on Sol9 + MySQL 4) > > <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> ------------------------------------------------------- QAS Ltd. Developers of QuickAddress Software <a href="http://www.qas.com";>www.qas.com</a> Registered in England: No 2582055 Registered in Australia: No 082 851 474 ------------------------------------------------------- </FONT>
