Solved

about session

Posted on 2004-10-13
27
205 Views
Last Modified: 2010-04-01
Hi expert,
I want to ask you about session. When you log in, do something, then log out, after that, you press BACK button ... and you log in again.
Can you solve this problem ? I mean, after you press BACK, you CAN NOT log in again in system.
Thank you.
0
Comment
Question by:quoclan
  • 13
  • 10
  • 2
  • +1
27 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 12298438
you mean press BACK to the login page, then type your details in again?

That will always work...

try putting this in the JSPs you want to protect:

<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 12302064
extending the TimYates solution,


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>

<html>
<!-- Your protected page -->
</html>


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>


This is more protected.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12306222
to sudhakar_koundinya  :
why you add three <html></html> in one page ? I don't know this. If one page has three tags <html>, which one it will choose to display ? You can explain more to me ?
Thank you.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 35

Expert Comment

by:TimYates
ID: 12306407
I'm intrigued by that too ;-)

I never have to do any of those things...

quoclan, did  you mean press BACK to the login page, then type your details in again?
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 12306587
Some where I read on the net, setting the expiry conent before Html content and after Html content protects the page more. Sadly I forget to that URI to show u,

<Html>
<head>
<!-- expiry settings-->
</head>

<head>
</head>
<body>
</body>
<head>
<!-- expiry settings-->
</head>
</html>

0
 
LVL 35

Expert Comment

by:TimYates
ID: 12306668
I wonder if all browsers work with that...

I assume it's to get round some "feature" of the dreadful IE4...  So hopefully it shouldn't be needed now....  Hopefully ;-)
0
 
LVL 2

Author Comment

by:quoclan
ID: 12326829
hi,
I check your solution. But when i press Refresh, it still log in.
Can you give me another solution ?
Thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12326849
i mean, your solution is right. when i press BACK, it show "Page has expires". Then, i press Refresh, it still log in system again.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12326896
> Then, i press Refresh, it still log in system again.

Yeah, because it posts the login details again...

When you log in, have the page that performs the login checks send a redirect to the first page

response.sendRedirect( "welcom.jsp" ) ;

That way, you shouldn't be able to press "back" and see the page just after login...
0
 
LVL 2

Author Comment

by:quoclan
ID: 12331574
yes, i have a page that performs the login check, after that, i use this :
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
and welcome.jsp is protected by your code (and i also try sudhakar_koundinya's code).

I don't know how Tomcat do this (i don't download Tomcat's source). Do Tomcat use the same way you show me ?
Thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12339642
hi all,
can you help me this problem ?
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12340304
You are going to have to show us what you are doing... And the steps you take to show the bug...

 What we have suggested should work

There must be another piece of the puzzle missing...

Can you post a simple example which shows the error?
0
 
LVL 2

Author Comment

by:quoclan
ID: 12343909
I have a login.jsp receive 2 parameters from login.htm : username and password
After check this username and password in database, if matched then use
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
if not matched, redirect to login.htm
In welcome.jsp, I use your code to protect my jsp :
<%@ page import="java.util.Date()"%>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", new Date().toString());

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
<!--
my code
-->
When I press "Log out" in welcome.jsp, invalidate session, then redirect to login.htm.
After that, I press BACK, IE show "Page that has expires". I try press REFRESH, then welcome.jsp is displayed

Do i have some problems in my code ?
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12345368
instead of:

<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">

try

<% response.sendRedirect( "welcome.jsp" ) ; %>
0
 
LVL 2

Author Comment

by:quoclan
ID: 12387812
I tried your solution, but it's worth than before changed.
When I press BACK, it goes direct to my jsp protected (it don't display expired page)
thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12387843
I post my code here:
1. First, welcome.htm receive username and password from user. After that, it submit to welcome.jsp:
<html>
<head>
<title>Welcome</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="welcome.jsp">
  <p align="left">&nbsp; </p>
  <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
    <input type="text" name="username">
  </p>
  <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="password">
  </p>
  <p align="center">
    <input type="submit" name="ok" value="OK">
    <input type="reset" name="cancel" value="Cancel">
  </p>
</form>
</body>
</html>

2. welcome.jsp check username and password in database through javabean has id=graph. If match, use response.sendRedirect("draw.jsp"):

<jsp:useBean id="graph" class="DB.Graph"/>
<%
      session= request.getSession(true);
      String username=request.getParameter("username");
      String password=request.getParameter("password");            
      int i=graph.login(username,password);
      
      if(i==1)      //match
      {
            response.sendRedirect("draw.jsp");
            
      }
      else
      if(i==0)      out.println("username or password invalid");      
%>

3. draw.jsp display some info and sign out button. When click sign out, use session.invalidate() and response.sendRedirect("welcome.htm"). draw.jsp is protect by your code :

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>


<html>
<head>
<title>Draw</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="draw.jsp">
  <p>
    <input type="submit" name="signout" value="SignOut">
  </p>
  <p><b>Soft &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="soft">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    </b></p>
  <p><b>Devices&nbsp;
    <input type="text" name="device">
    </b></p>
  <p><b>Other&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="other">
    </b></p>
  <p><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="graph" value="Graph">
    <input type="reset" name="cancel" value="Cancel">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b></p>
  </form>

<%@ page session="true"%>
<%      
      String signout=request.getParameter("signout");
      String graph=request.getParameter("graph");

      if(signout!=null)      
      {
            session.invalidate();
            response.sendRedirect("welcome.htm");
      }      
      else
      if(graph!=null)
      {
            out.println("draw");
      }

%>
</body>
</html>

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>

You can view this ? Can you show me my problem ?
0
 
LVL 2

Author Comment

by:quoclan
ID: 12407211
anyone help me ??
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12408447
Change welcome.htm to index.jsp:

<html>
    <head>
        <title>Welcome</title>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
<%
    if( request.getParameter( "invalid" ) != null )
    {
        out.println( "<h1>Invalid login details</h1>" ) ;
    }
%>
        <form name="form1" method="post" action="welcome.jsp">
            <p align="left">&nbsp; </p>
            <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
                <input type="text" name="username">
            </p>
            <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                <input type="text" name="password">
            </p>
            <p align="center">
                <input type="submit" name="ok" value="OK">
                <input type="reset" name="cancel" value="Cancel">
            </p>
        </form>
    </body>
</html>

Then change welcome.jsp to:

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     session= request.getSession(true);
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
          response.sendRedirect("draw.jsp");
     else
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>

Any help?  Hope so!

Tim
0
 
LVL 2

Author Comment

by:quoclan
ID: 12410501
do you try your code ? I try it, but it's still wrong.
do you have any solution ?
please help me !
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12410525
>  do you try your code ? I try it, but it's still wrong.

I am not 100% sure what you are doing...or what is happening...

Are you going back to welcome.jsp?  and pressing refresh?

You shouldn't be able to go back to welcome.jsp...
0
 
LVL 2

Author Comment

by:quoclan
ID: 12414628
yes, i don't go back to welcome.jsp, but i go direct to draw.jsp without asking press Refresh !!
it don't show expired page !
i think forward is better than sendRedirect !
you can try it.
0
 
LVL 35

Assisted Solution

by:TimYates
TimYates earned 120 total points
ID: 12419056
What happens if you change Welcome.jsp to:

-----------------------

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
          session.setAttribute( "loggedIn", "yes" ) ;
          response.sendRedirect("draw.jsp");
     }
     else
     {
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
          session.removeAttribute( "loggedIn" ) ;
     }
%>

And change the beginning of draw.jsp to:

<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     if( session.getAttribute( "loggedIn" ) == null )
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>
0
 
LVL 2

Accepted Solution

by:
arnon81 earned 100 total points
ID: 12528454
welcome.jsp

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
        session.setAttribute("login", "horay");
          response.sendRedirect("draw.jsp");
         
     }
     else
     if(i==0)     out.println("username or password invalid");    
%>


draw.jsp
<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");

String horay = session.getAttribute("login");
if (horay==null)
      response.sendRedirect ("welcome.htm");
%>

and then the rest of draw.jsp...........

and then on your code
 if(signout!=null)    
     {
          session.invalidate();
          response.sendRedirect("welcome.htm");
     }    
make it so it says
 if(signout!=null)    
     {
          session.setAttribute("login", null);
          response.sendRedirect("welcome.htm");
     }

Hope this solve your problem.
Arnon    
0
 
LVL 2

Author Comment

by:quoclan
ID: 12551260
thanks TimYates and arnon81.
i will reply as soon as possible.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 13620496
going by the last comment, id suggest either splitting between TimYates and arnon81, or split between all experts...
0
 
LVL 2

Author Comment

by:quoclan
ID: 13624588
I'm sorry ...
Thanks TimYates and arnon81 very much.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
issue with pdf generation 2 93
sortaSum challenge java 17 174
countXY challenge 28 161
eclipse buid path vs tomcat lib path 10 34
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Read about why it is more lucrative for an IT company to participate in government projects.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question