Solved

about session

Posted on 2004-10-13
27
202 Views
Last Modified: 2010-04-01
Hi expert,
I want to ask you about session. When you log in, do something, then log out, after that, you press BACK button ... and you log in again.
Can you solve this problem ? I mean, after you press BACK, you CAN NOT log in again in system.
Thank you.
0
Comment
Question by:quoclan
  • 13
  • 10
  • 2
  • +1
27 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 12298438
you mean press BACK to the login page, then type your details in again?

That will always work...

try putting this in the JSPs you want to protect:

<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 12302064
extending the TimYates solution,


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>

<html>
<!-- Your protected page -->
</html>


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>


This is more protected.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12306222
to sudhakar_koundinya  :
why you add three <html></html> in one page ? I don't know this. If one page has three tags <html>, which one it will choose to display ? You can explain more to me ?
Thank you.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12306407
I'm intrigued by that too ;-)

I never have to do any of those things...

quoclan, did  you mean press BACK to the login page, then type your details in again?
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 12306587
Some where I read on the net, setting the expiry conent before Html content and after Html content protects the page more. Sadly I forget to that URI to show u,

<Html>
<head>
<!-- expiry settings-->
</head>

<head>
</head>
<body>
</body>
<head>
<!-- expiry settings-->
</head>
</html>

0
 
LVL 35

Expert Comment

by:TimYates
ID: 12306668
I wonder if all browsers work with that...

I assume it's to get round some "feature" of the dreadful IE4...  So hopefully it shouldn't be needed now....  Hopefully ;-)
0
 
LVL 2

Author Comment

by:quoclan
ID: 12326829
hi,
I check your solution. But when i press Refresh, it still log in.
Can you give me another solution ?
Thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12326849
i mean, your solution is right. when i press BACK, it show "Page has expires". Then, i press Refresh, it still log in system again.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12326896
> Then, i press Refresh, it still log in system again.

Yeah, because it posts the login details again...

When you log in, have the page that performs the login checks send a redirect to the first page

response.sendRedirect( "welcom.jsp" ) ;

That way, you shouldn't be able to press "back" and see the page just after login...
0
 
LVL 2

Author Comment

by:quoclan
ID: 12331574
yes, i have a page that performs the login check, after that, i use this :
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
and welcome.jsp is protected by your code (and i also try sudhakar_koundinya's code).

I don't know how Tomcat do this (i don't download Tomcat's source). Do Tomcat use the same way you show me ?
Thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12339642
hi all,
can you help me this problem ?
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12340304
You are going to have to show us what you are doing... And the steps you take to show the bug...

 What we have suggested should work

There must be another piece of the puzzle missing...

Can you post a simple example which shows the error?
0
 
LVL 2

Author Comment

by:quoclan
ID: 12343909
I have a login.jsp receive 2 parameters from login.htm : username and password
After check this username and password in database, if matched then use
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
if not matched, redirect to login.htm
In welcome.jsp, I use your code to protect my jsp :
<%@ page import="java.util.Date()"%>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", new Date().toString());

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
<!--
my code
-->
When I press "Log out" in welcome.jsp, invalidate session, then redirect to login.htm.
After that, I press BACK, IE show "Page that has expires". I try press REFRESH, then welcome.jsp is displayed

Do i have some problems in my code ?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 35

Expert Comment

by:TimYates
ID: 12345368
instead of:

<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">

try

<% response.sendRedirect( "welcome.jsp" ) ; %>
0
 
LVL 2

Author Comment

by:quoclan
ID: 12387812
I tried your solution, but it's worth than before changed.
When I press BACK, it goes direct to my jsp protected (it don't display expired page)
thanks.
0
 
LVL 2

Author Comment

by:quoclan
ID: 12387843
I post my code here:
1. First, welcome.htm receive username and password from user. After that, it submit to welcome.jsp:
<html>
<head>
<title>Welcome</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="welcome.jsp">
  <p align="left">&nbsp; </p>
  <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
    <input type="text" name="username">
  </p>
  <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="password">
  </p>
  <p align="center">
    <input type="submit" name="ok" value="OK">
    <input type="reset" name="cancel" value="Cancel">
  </p>
</form>
</body>
</html>

2. welcome.jsp check username and password in database through javabean has id=graph. If match, use response.sendRedirect("draw.jsp"):

<jsp:useBean id="graph" class="DB.Graph"/>
<%
      session= request.getSession(true);
      String username=request.getParameter("username");
      String password=request.getParameter("password");            
      int i=graph.login(username,password);
      
      if(i==1)      //match
      {
            response.sendRedirect("draw.jsp");
            
      }
      else
      if(i==0)      out.println("username or password invalid");      
%>

3. draw.jsp display some info and sign out button. When click sign out, use session.invalidate() and response.sendRedirect("welcome.htm"). draw.jsp is protect by your code :

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>


<html>
<head>
<title>Draw</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="draw.jsp">
  <p>
    <input type="submit" name="signout" value="SignOut">
  </p>
  <p><b>Soft &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="soft">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    </b></p>
  <p><b>Devices&nbsp;
    <input type="text" name="device">
    </b></p>
  <p><b>Other&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="other">
    </b></p>
  <p><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="graph" value="Graph">
    <input type="reset" name="cancel" value="Cancel">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b></p>
  </form>

<%@ page session="true"%>
<%      
      String signout=request.getParameter("signout");
      String graph=request.getParameter("graph");

      if(signout!=null)      
      {
            session.invalidate();
            response.sendRedirect("welcome.htm");
      }      
      else
      if(graph!=null)
      {
            out.println("draw");
      }

%>
</body>
</html>

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>

You can view this ? Can you show me my problem ?
0
 
LVL 2

Author Comment

by:quoclan
ID: 12407211
anyone help me ??
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12408447
Change welcome.htm to index.jsp:

<html>
    <head>
        <title>Welcome</title>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
<%
    if( request.getParameter( "invalid" ) != null )
    {
        out.println( "<h1>Invalid login details</h1>" ) ;
    }
%>
        <form name="form1" method="post" action="welcome.jsp">
            <p align="left">&nbsp; </p>
            <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
                <input type="text" name="username">
            </p>
            <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                <input type="text" name="password">
            </p>
            <p align="center">
                <input type="submit" name="ok" value="OK">
                <input type="reset" name="cancel" value="Cancel">
            </p>
        </form>
    </body>
</html>

Then change welcome.jsp to:

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     session= request.getSession(true);
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
          response.sendRedirect("draw.jsp");
     else
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>

Any help?  Hope so!

Tim
0
 
LVL 2

Author Comment

by:quoclan
ID: 12410501
do you try your code ? I try it, but it's still wrong.
do you have any solution ?
please help me !
0
 
LVL 35

Expert Comment

by:TimYates
ID: 12410525
>  do you try your code ? I try it, but it's still wrong.

I am not 100% sure what you are doing...or what is happening...

Are you going back to welcome.jsp?  and pressing refresh?

You shouldn't be able to go back to welcome.jsp...
0
 
LVL 2

Author Comment

by:quoclan
ID: 12414628
yes, i don't go back to welcome.jsp, but i go direct to draw.jsp without asking press Refresh !!
it don't show expired page !
i think forward is better than sendRedirect !
you can try it.
0
 
LVL 35

Assisted Solution

by:TimYates
TimYates earned 120 total points
ID: 12419056
What happens if you change Welcome.jsp to:

-----------------------

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
          session.setAttribute( "loggedIn", "yes" ) ;
          response.sendRedirect("draw.jsp");
     }
     else
     {
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
          session.removeAttribute( "loggedIn" ) ;
     }
%>

And change the beginning of draw.jsp to:

<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     if( session.getAttribute( "loggedIn" ) == null )
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>
0
 
LVL 2

Accepted Solution

by:
arnon81 earned 100 total points
ID: 12528454
welcome.jsp

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
        session.setAttribute("login", "horay");
          response.sendRedirect("draw.jsp");
         
     }
     else
     if(i==0)     out.println("username or password invalid");    
%>


draw.jsp
<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");

String horay = session.getAttribute("login");
if (horay==null)
      response.sendRedirect ("welcome.htm");
%>

and then the rest of draw.jsp...........

and then on your code
 if(signout!=null)    
     {
          session.invalidate();
          response.sendRedirect("welcome.htm");
     }    
make it so it says
 if(signout!=null)    
     {
          session.setAttribute("login", null);
          response.sendRedirect("welcome.htm");
     }

Hope this solve your problem.
Arnon    
0
 
LVL 2

Author Comment

by:quoclan
ID: 12551260
thanks TimYates and arnon81.
i will reply as soon as possible.
0
 
LVL 35

Expert Comment

by:TimYates
ID: 13620496
going by the last comment, id suggest either splitting between TimYates and arnon81, or split between all experts...
0
 
LVL 2

Author Comment

by:quoclan
ID: 13624588
I'm sorry ...
Thanks TimYates and arnon81 very much.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
bean mapper frameworks 5 56
AlarmClock Challenge 35 145
How to set default webapp for host 6 41
spring example errors 33 200
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now