Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

about session

Hi expert,
I want to ask you about session. When you log in, do something, then log out, after that, you press BACK button ... and you log in again.
Can you solve this problem ? I mean, after you press BACK, you CAN NOT log in again in system.
Thank you.
0
quoclan
Asked:
quoclan
  • 13
  • 10
  • 2
  • +1
2 Solutions
 
TimYatesCommented:
you mean press BACK to the login page, then type your details in again?

That will always work...

try putting this in the JSPs you want to protect:

<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
0
 
sudhakar_koundinyaCommented:
extending the TimYates solution,


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>

<html>
<!-- Your protected page -->
</html>


<html>
<head>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
</head?
</html>


This is more protected.
0
 
quoclanAuthor Commented:
to sudhakar_koundinya  :
why you add three <html></html> in one page ? I don't know this. If one page has three tags <html>, which one it will choose to display ? You can explain more to me ?
Thank you.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
TimYatesCommented:
I'm intrigued by that too ;-)

I never have to do any of those things...

quoclan, did  you mean press BACK to the login page, then type your details in again?
0
 
sudhakar_koundinyaCommented:
Some where I read on the net, setting the expiry conent before Html content and after Html content protects the page more. Sadly I forget to that URI to show u,

<Html>
<head>
<!-- expiry settings-->
</head>

<head>
</head>
<body>
</body>
<head>
<!-- expiry settings-->
</head>
</html>

0
 
TimYatesCommented:
I wonder if all browsers work with that...

I assume it's to get round some "feature" of the dreadful IE4...  So hopefully it shouldn't be needed now....  Hopefully ;-)
0
 
quoclanAuthor Commented:
hi,
I check your solution. But when i press Refresh, it still log in.
Can you give me another solution ?
Thanks.
0
 
quoclanAuthor Commented:
i mean, your solution is right. when i press BACK, it show "Page has expires". Then, i press Refresh, it still log in system again.
0
 
TimYatesCommented:
> Then, i press Refresh, it still log in system again.

Yeah, because it posts the login details again...

When you log in, have the page that performs the login checks send a redirect to the first page

response.sendRedirect( "welcom.jsp" ) ;

That way, you shouldn't be able to press "back" and see the page just after login...
0
 
quoclanAuthor Commented:
yes, i have a page that performs the login check, after that, i use this :
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
and welcome.jsp is protected by your code (and i also try sudhakar_koundinya's code).

I don't know how Tomcat do this (i don't download Tomcat's source). Do Tomcat use the same way you show me ?
Thanks.
0
 
quoclanAuthor Commented:
hi all,
can you help me this problem ?
0
 
TimYatesCommented:
You are going to have to show us what you are doing... And the steps you take to show the bug...

 What we have suggested should work

There must be another piece of the puzzle missing...

Can you post a simple example which shows the error?
0
 
quoclanAuthor Commented:
I have a login.jsp receive 2 parameters from login.htm : username and password
After check this username and password in database, if matched then use
<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">
if not matched, redirect to login.htm
In welcome.jsp, I use your code to protect my jsp :
<%@ page import="java.util.Date()"%>
<%
      // Set to expire far in the past.
      response.setHeader("Expires", new Date().toString());

      // Set standard HTTP/1.1 no-cache headers.
      response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");

      // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
      response.addHeader("Cache-Control", "post-check=0, pre-check=0");

      // Set standard HTTP/1.0 no-cache header.
      response.setHeader("Pragma", "no-cache");
%>
<!--
my code
-->
When I press "Log out" in welcome.jsp, invalidate session, then redirect to login.htm.
After that, I press BACK, IE show "Page that has expires". I try press REFRESH, then welcome.jsp is displayed

Do i have some problems in my code ?
0
 
TimYatesCommented:
instead of:

<jsp:forward page="<%=response.encodeUrl("welcome.jsp")%>">

try

<% response.sendRedirect( "welcome.jsp" ) ; %>
0
 
quoclanAuthor Commented:
I tried your solution, but it's worth than before changed.
When I press BACK, it goes direct to my jsp protected (it don't display expired page)
thanks.
0
 
quoclanAuthor Commented:
I post my code here:
1. First, welcome.htm receive username and password from user. After that, it submit to welcome.jsp:
<html>
<head>
<title>Welcome</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="welcome.jsp">
  <p align="left">&nbsp; </p>
  <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
    <input type="text" name="username">
  </p>
  <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="password">
  </p>
  <p align="center">
    <input type="submit" name="ok" value="OK">
    <input type="reset" name="cancel" value="Cancel">
  </p>
</form>
</body>
</html>

2. welcome.jsp check username and password in database through javabean has id=graph. If match, use response.sendRedirect("draw.jsp"):

<jsp:useBean id="graph" class="DB.Graph"/>
<%
      session= request.getSession(true);
      String username=request.getParameter("username");
      String password=request.getParameter("password");            
      int i=graph.login(username,password);
      
      if(i==1)      //match
      {
            response.sendRedirect("draw.jsp");
            
      }
      else
      if(i==0)      out.println("username or password invalid");      
%>

3. draw.jsp display some info and sign out button. When click sign out, use session.invalidate() and response.sendRedirect("welcome.htm"). draw.jsp is protect by your code :

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>


<html>
<head>
<title>Draw</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form name="form1" method="post" action="draw.jsp">
  <p>
    <input type="submit" name="signout" value="SignOut">
  </p>
  <p><b>Soft &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="soft">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    </b></p>
  <p><b>Devices&nbsp;
    <input type="text" name="device">
    </b></p>
  <p><b>Other&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="text" name="other">
    </b></p>
  <p><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="graph" value="Graph">
    <input type="reset" name="cancel" value="Cancel">
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b></p>
  </form>

<%@ page session="true"%>
<%      
      String signout=request.getParameter("signout");
      String graph=request.getParameter("graph");

      if(signout!=null)      
      {
            session.invalidate();
            response.sendRedirect("welcome.htm");
      }      
      else
      if(graph!=null)
      {
            out.println("draw");
      }

%>
</body>
</html>

<%@ page import="java.util.Date"%>
<%
      
      response.setHeader("Expires",new Date().toString());
      response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
      response.addHeader("Cache-Control","post-check=0,pre-check=0");
      response.setHeader("Pragma","no-cache");
%>

You can view this ? Can you show me my problem ?
0
 
quoclanAuthor Commented:
anyone help me ??
0
 
TimYatesCommented:
Change welcome.htm to index.jsp:

<html>
    <head>
        <title>Welcome</title>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
<%
    if( request.getParameter( "invalid" ) != null )
    {
        out.println( "<h1>Invalid login details</h1>" ) ;
    }
%>
        <form name="form1" method="post" action="welcome.jsp">
            <p align="left">&nbsp; </p>
            <p align="center"><b>Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b>
                <input type="text" name="username">
            </p>
            <p align="center"><b>Password </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                <input type="text" name="password">
            </p>
            <p align="center">
                <input type="submit" name="ok" value="OK">
                <input type="reset" name="cancel" value="Cancel">
            </p>
        </form>
    </body>
</html>

Then change welcome.jsp to:

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     session= request.getSession(true);
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
          response.sendRedirect("draw.jsp");
     else
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>

Any help?  Hope so!

Tim
0
 
quoclanAuthor Commented:
do you try your code ? I try it, but it's still wrong.
do you have any solution ?
please help me !
0
 
TimYatesCommented:
>  do you try your code ? I try it, but it's still wrong.

I am not 100% sure what you are doing...or what is happening...

Are you going back to welcome.jsp?  and pressing refresh?

You shouldn't be able to go back to welcome.jsp...
0
 
quoclanAuthor Commented:
yes, i don't go back to welcome.jsp, but i go direct to draw.jsp without asking press Refresh !!
it don't show expired page !
i think forward is better than sendRedirect !
you can try it.
0
 
TimYatesCommented:
What happens if you change Welcome.jsp to:

-----------------------

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
          session.setAttribute( "loggedIn", "yes" ) ;
          response.sendRedirect("draw.jsp");
     }
     else
     {
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
          session.removeAttribute( "loggedIn" ) ;
     }
%>

And change the beginning of draw.jsp to:

<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");
     if( session.getAttribute( "loggedIn" ) == null )
          response.sendRedirect( "index.jsp?invalid=yes" ) ;
%>
0
 
arnon81Commented:
welcome.jsp

<jsp:useBean id="graph" class="DB.Graph"/>
<%
     
     String username=request.getParameter("username");
     String password=request.getParameter("password");          
     int i=graph.login(username,password);
     
     if(i==1)     //match
     {
        session.setAttribute("login", "horay");
          response.sendRedirect("draw.jsp");
         
     }
     else
     if(i==0)     out.println("username or password invalid");    
%>


draw.jsp
<%@ page import="java.util.Date"%>
<%
     
     response.setHeader("Expires",new Date().toString());
     response.setHeader("Cache-Control","no-store,no-cache,must-revalidate");
     response.addHeader("Cache-Control","post-check=0,pre-check=0");
     response.setHeader("Pragma","no-cache");

String horay = session.getAttribute("login");
if (horay==null)
      response.sendRedirect ("welcome.htm");
%>

and then the rest of draw.jsp...........

and then on your code
 if(signout!=null)    
     {
          session.invalidate();
          response.sendRedirect("welcome.htm");
     }    
make it so it says
 if(signout!=null)    
     {
          session.setAttribute("login", null);
          response.sendRedirect("welcome.htm");
     }

Hope this solve your problem.
Arnon    
0
 
quoclanAuthor Commented:
thanks TimYates and arnon81.
i will reply as soon as possible.
0
 
TimYatesCommented:
going by the last comment, id suggest either splitting between TimYates and arnon81, or split between all experts...
0
 
quoclanAuthor Commented:
I'm sorry ...
Thanks TimYates and arnon81 very much.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 13
  • 10
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now