Solved

about session

Posted on 2004-10-13
27
207 Views
Last Modified: 2010-04-01
Hi expert,
I want to ask you about session. When you log in, do something, then log out, after that, you press BACK button ... and you log in again.
Can you solve this problem ? I mean, after you press BACK, you CAN NOT log in again in system.
Thank you.
0
Comment
Question by:quoclan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 10
  • 2
  • +1
27 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 12298438
you mean press BACK to the login page, then type your details in again?

That will always work...

try putting this in the JSPs you want to protect:

<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 12302064
extending the TimYates solution,


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>

<html>
<!-- Your protected page -->
</html>


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>


This is more protected.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12306222
to sudhakar_koundinya  :
why you add three <html></html> in one page ? I don't know this. If one page has three tags <html>, which one it will choose to display ? You can explain more to me ?
Thank you.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Expert Comment

by:TimYates
ID: 12306407
I'm intrigued by that too ;-)

I never have to do any of those things...

quoclan, did  you mean press BACK to the login page, then type your details in again?
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 12306587
Some where I read on the net, setting the expiry conent before Html content and after Html content protects the page more. Sadly I forget to that URI to show u,

<Html>
<head>
<!-- expiry settings-->
</head>

<head>
</head>
<body>
</body>
<head>
<!-- expiry settings-->
</head>
</html>

0
 
LVL 35

Expert Comment

by:TimYates
ID: 12306668
I wonder if all browsers work with that...

I assume it's to get round some "feature" of the dreadful IE4...  So hopefully it shouldn't be needed now....  Hopefully ;-)
0
 
LVL 2

Author Comment

by:quoclan
ID: 12326829
hi,
I check your solution. But when i press Refresh, it still log in.
Can you give me another solution ?
Thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12326849
i mean, your solution is right. when i press BACK, it show "Page has expires". Then, i press Refresh, it still log in system again.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12326896
> Then, i press Refresh, it still log in system again.

Yeah, because it posts the login details again...

When you log in, have the page that performs the login checks send a redirect to the first page

response.sendRedirect( "welcom.jsp" ) ;

That way, you shouldn't be able to press "back" and see the page just after login...
0
 
LVL 2

Author Comment

by:quoclan
ID: 12331574
yes, i have a page that performs the login check, after that, i use this :
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
and welcome.jsp is protected by your code (and i also try sudhakar_koundinya's code).

I don't know how Tomcat do this (i don't download Tomcat's source). Do Tomcat use the same way you show me ?
Thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12339642
hi all,
can you help me this problem ?
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12340304
You are going to have to show us what you are doing... And the steps you take to show the bug...

 What we have suggested should work

There must be another piece of the puzzle missing...

Can you post a simple example which shows the error?
0
 
LVL 2

Author Comment

by:quoclan
ID: 12343909
I have a login.jsp receive 2 parameters from login.htm : username and password
After check this username and password in database, if matched then use
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
if not matched, redirect to login.htm
In welcome.jsp, I use your code to protect my jsp :
<%@ page import="java.util.Date()"%>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", new Date().toString());

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
<!--
my code
-->
When I press "Log out" in welcome.jsp, invalidate session, then redirect to login.htm.
After that, I press BACK, IE show "Page that has expires". I try press REFRESH, then welcome.jsp is displayed

Do i have some problems in my code ?
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12345368
instead of:

<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">

try

<% response.sendRedirect( "welcome.jsp" ) ; %>
0
 
LVL 2

Author Comment

by:quoclan
ID: 12387812
I tried your solution, but it's worth than before changed.
When I press BACK, it goes direct to my jsp protected (it don't display expired page)
thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12387843
I post my code here:
1. First, welcome.htm receive username and password from user. After that, it submit to welcome.jsp:
<html>
<head>
<title>Welcome</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="welcome.jsp">
  <p align="left">&nbsp; </p>
  <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
    <input type="text" name="username">
  </p>
  <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="password">
  </p>
  <p align="center">
    <input type="submit" name="ok" value="OK">
    <input type="reset" name="cancel" value="Cancel">
  </p>
</form>
</body>
</html>

2. welcome.jsp check username and password in database through javabean has id=graph. If match, use response.sendRedirect("draw.jsp"):

<jsp:useBean id="graph" class="DB.Graph"/>
<%
      session= request.getSession(true);
      String username=request.getParameter("username");
      String password=request.getParameter("password");            
      int i=graph.login(username,password);
      
      if(i==1)      //match
      {
            response.sendRedirect("draw.jsp");
            
      }
      else
      if(i==0)      out.println("username or password invalid");      
%>

3. draw.jsp display some info and sign out button. When click sign out, use session.invalidate() and response.sendRedirect("welcome.htm"). draw.jsp is protect by your code :

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>


<html>
<head>
<title>Draw</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="draw.jsp">
  <p>
    <input type="submit" name="signout" value="SignOut">
  </p>
  <p><b>Soft &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="soft">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    </b></p>
  <p><b>Devices&nbsp;
    <input type="text" name="device">
    </b></p>
  <p><b>Other&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="other">
    </b></p>
  <p><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="graph" value="Graph">
    <input type="reset" name="cancel" value="Cancel">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b></p>
  </form>

<%@ page session="true"%>
<%      
      String signout=request.getParameter("signout");
      String graph=request.getParameter("graph");

      if(signout!=null)      
      {
            session.invalidate();
            response.sendRedirect("welcome.htm");
      }      
      else
      if(graph!=null)
      {
            out.println("draw");
      }

%>
</body>
</html>

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>

You can view this ? Can you show me my problem ?
0
 
LVL 2

Author Comment

by:quoclan
ID: 12407211
anyone help me ??
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12408447
Change welcome.htm to index.jsp:

<html>
    <head>
        <title>Welcome</title>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
<%
    if( request.getParameter( "invalid" ) != null )
    {
        out.println( "<h1>Invalid login details</h1>" ) ;
    }
%>
        <form name="form1" method="post" action="welcome.jsp">
            <p align="left">&nbsp; </p>
            <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
                <input type="text" name="username">
            </p>
            <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                <input type="text" name="password">
            </p>
            <p align="center">
                <input type="submit" name="ok" value="OK">
                <input type="reset" name="cancel" value="Cancel">
            </p>
        </form>
    </body>
</html>

Then change welcome.jsp to:

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     session= request.getSession(true);
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
          response.sendRedirect("draw.jsp");
     else
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>

Any help?  Hope so!

Tim
0
 
LVL 2

Author Comment

by:quoclan
ID: 12410501
do you try your code ? I try it, but it's still wrong.
do you have any solution ?
please help me !
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12410525
>  do you try your code ? I try it, but it's still wrong.

I am not 100% sure what you are doing...or what is happening...

Are you going back to welcome.jsp?  and pressing refresh?

You shouldn't be able to go back to welcome.jsp...
0
 
LVL 2

Author Comment

by:quoclan
ID: 12414628
yes, i don't go back to welcome.jsp, but i go direct to draw.jsp without asking press Refresh !!
it don't show expired page !
i think forward is better than sendRedirect !
you can try it.
0
 
LVL 35

Assisted Solution

by:TimYates
TimYates earned 120 total points
ID: 12419056
What happens if you change Welcome.jsp to:

-----------------------

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
          session.setAttribute( "loggedIn", "yes" ) ;
          response.sendRedirect("draw.jsp");
     }
     else
     {
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
          session.removeAttribute( "loggedIn" ) ;
     }
%>

And change the beginning of draw.jsp to:

<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     if( session.getAttribute( "loggedIn" ) == null )
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>
0
 
LVL 2

Accepted Solution

by:
arnon81 earned 100 total points
ID: 12528454
welcome.jsp

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
        session.setAttribute("login", "horay");
          response.sendRedirect("draw.jsp");
         
     }
     else
     if(i==0)     out.println("username or password invalid");    
%>


draw.jsp
<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");

String horay = session.getAttribute("login");
if (horay==null)
      response.sendRedirect ("welcome.htm");
%>

and then the rest of draw.jsp...........

and then on your code
 if(signout!=null)    
     {
          session.invalidate();
          response.sendRedirect("welcome.htm");
     }    
make it so it says
 if(signout!=null)    
     {
          session.setAttribute("login", null);
          response.sendRedirect("welcome.htm");
     }

Hope this solve your problem.
Arnon    
0
 
LVL 2

Author Comment

by:quoclan
ID: 12551260
thanks TimYates and arnon81.
i will reply as soon as possible.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 13620496
going by the last comment, id suggest either splitting between TimYates and arnon81, or split between all experts...
0
 
LVL 2

Author Comment

by:quoclan
ID: 13624588
I'm sorry ...
Thanks TimYates and arnon81 very much.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question