Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Session invalidation in FF , Tomcat

Tags:

jsp

session

tomcat6

I am using Tomcat web container. I have an admin console app implemented. When I click on logout a session attribute is made null and invalidated see the below code in my logout.jsp file. After logout the user is taken to the login page. In fireFox I click back button I have the below issues. First I do not get page expired page like in IE Second when I click on any of the link in the page , I check for the sessioon attribute which I made null in logout. The value of that is "success". I am totally confused with this behaviour. Is it issue with firefox or tomcat session management.

I am sure I need more knowledge to understand this behaviour. Appreciate your help in letting me know what happens here...

<%@ page session="false" %>
<%
response.setHeader("cache-control","no-cache");
response.setHeader("Pragma","no-cache");
response.setDateHeader("Expires",-1);

%>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <% 
    HttpSession session = request.getSession(false);
    System.out.println("session"+session);
    session.setAttribute("loginStatus",null);
    session.invalidate();
  %>
like image 277
Sandeep Avatar asked Nov 24 '25 16:11

Sandeep

1 Answers

The headers are incomplete. You need the following set of headers:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

Escpecially the must-revalidate entry fixes this particular FF issue.

See also

  • Making sure a webpage is not cached across all browsers
  • Caching tutorial

Unrelated to the actual problem, I've a few comments about this piece of code:

  • You should prefer UTF-8 over ISO-8859-1 to gain world domination.
  • Raw Java code in a JSP page is poor practice. The response headers needs to be set in a Filter and the logout needs to happen (indirectly) in a Servlet.
  • Calling getSession(false) with false may return a null session which in turn can lead to a NullPointerException in certain circumstances. Get rid of false or at least add a nullcheck.
  • Setting attribute to null right before calling invalidate() is unnecessary. The invalidate() call already trashes all the attribtues.

Hope you learn something from this.

like image 181
BalusC Avatar answered Nov 27 '25 18:11

BalusC
Sign in to Comment

Related questions

Excel file reading in Java(Simple JSP and Servlet) [closed]
How to access partial Web Content in Liferay within JSP
Multiple Pages Inside One Portlet
How do I check that a session object contains a particular key/value entry

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!