Dj_maj
asked on
Jsp Logout page
Hi guys,
I need someone to tell me how to create a logout page for my jsp login account:
I have a Login.jsp page as follow:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<%-- page settings via directives--%>
<%@ page errorPage = "videoErrorPage.jsp" %>
<%@ page import = "java.util.*" %>
<%@ page import = "video.*" %>
<%-- Customer bean used to get all item data --%>
<jsp:useBean id = "customer" scope = "page"
class = "video.Customer" />
<head>
<title>Login Page</title>
</head>
<body >
<% if(request.getParameter("L
{
if( request.getParameter("ID")
if( request.getParameter("pass
{
response.sendRedirect("url
}}
else
{
%>
<h2 align=center>Account Login</h2>
<form action=password.jsp method=get>
<table width=60% align=center bgcolor=#E0E0E border=1>
<tr>
<th colspan =2>Enter Customer Password</th>
</tr>
<tr>
<td>CustomerID</td><td><in
</tr>
<tr>
<td>Password</td><td><inpu
</tr>
<input type =hidden name=Login value=yes>
<tr>
<td colspan= 2 align=center><input type=Submit value=login> &n
</tr>
</table>
</form>
<p> </p>
<p><center><a href=CustomerDetails.jsp>R
<% } %>
</body></html>
How can i create a very simple logout page so that when i logout through the logout page i will be unable to access the other pages (which the logged on users usaly have access to) buy copying the url and pasting it in the browser? Any ideas using the session variable?
You don't have to use a filter if you're not happy to use them. You can just put these lines of code in each page you want protected
<%
String loggedIn = (String) session.getAttribute("logg edIn") ;
if ( loggedIn == null ){
response.sendRedirect("log in.jsp") ;
}
%>
<%
String loggedIn = (String) session.getAttribute("logg
if ( loggedIn == null ){
response.sendRedirect("log
}
%>
ASKER
so in the loggin page should i create a session like this:
HttpSession session = request.getSession(true);
to give the sesion a vlaue?
and what would the ("loggedIn") be ?
sorry as i have not used jsp for a while and trying to use it now.
HttpSession session = request.getSession(true);
to give the sesion a vlaue?
and what would the ("loggedIn") be ?
sorry as i have not used jsp for a while and trying to use it now.
>> so in the loggin page should i create a session like this:
>>HttpSession session = request.getSession(true);
No, you don't need to. The session object is an implicit one (like request) in a jsp and is available for you. You don't need to create another one.
>>and what would the ("loggedIn") be ?
Anything. Typically a String such as "loggedIn" will do. In the login page, when the user has been authenticated, you do this
session.setAttribute("logg edIn" , "loggedIn") ;
this puts this string in the session object as the named attribute "loggedIn" . You can retrieve it by calling
String sessLoggedIn = (String) session.getAttribute("logg edIn") ;
If the value of sessLoggedIn is null, then there is no attribute of that name present in the session, i.e. the user has not been logged in.
>>HttpSession session = request.getSession(true);
No, you don't need to. The session object is an implicit one (like request) in a jsp and is available for you. You don't need to create another one.
>>and what would the ("loggedIn") be ?
Anything. Typically a String such as "loggedIn" will do. In the login page, when the user has been authenticated, you do this
session.setAttribute("logg
this puts this string in the session object as the named attribute "loggedIn" . You can retrieve it by calling
String sessLoggedIn = (String) session.getAttribute("logg
If the value of sessLoggedIn is null, then there is no attribute of that name present in the session, i.e. the user has not been logged in.
ASKER
Hi i've been working on these pages and they kind work between the jsp pages but because all my login checking is done in the .class files which are compiled seperetly im getting an exception error when i add the following line :
String loggedIn = (String) session.getAttribute("logg edIn") ;
if ( loggedIn == null )
{
response.sendRedirect("../ login.jsp" ) ;
}
I ve places this line in different places such as the doGet method , it compiles with textpad but when i run in the server it throws error . Can u tell me how to fix this problem please?
String loggedIn = (String) session.getAttribute("logg
if ( loggedIn == null )
{
response.sendRedirect("../
}
I ve places this line in different places such as the doGet method , it compiles with textpad but when i run in the server it throws error . Can u tell me how to fix this problem please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are getting error because after you logout session expires and youm try to access null object. Do it this way:
if (session.getAttribute("log gedIn") == null )
{
response.sendRedirect("../ login.jsp" ) ;
}
Also if you are using servlet, then use this code in the biginning of the servlet, this way if you hit back button and there was any request in the history it won't get executed after logout, if you don't check this in servlet, and someone hits back button they will still execute th request in the browser history:
something like this:
in servelt:
if (session.getAttribute("log gedIn") == null )
{
response.sendRedirect("../ login.jsp" ) ;
}
else {
// rest servlet code goes here
}
At the top of every JSP page
<%
if (session.getAttribute("log gedIn") == null )
{
response.sendRedirect("../ login.jsp" ) ;
}
%>
Now there could be one catch to this:
if someone keep hitting back button at some point they will go to starting of the session i.e when someone logged in, and because this was a request and it will be stored in history someone might be able to login again.......
To avoid this:
use Token so no duplicate request will be executed.
if (session.getAttribute("log
{
response.sendRedirect("../
}
Also if you are using servlet, then use this code in the biginning of the servlet, this way if you hit back button and there was any request in the history it won't get executed after logout, if you don't check this in servlet, and someone hits back button they will still execute th request in the browser history:
something like this:
in servelt:
if (session.getAttribute("log
{
response.sendRedirect("../
}
else {
// rest servlet code goes here
}
At the top of every JSP page
<%
if (session.getAttribute("log
{
response.sendRedirect("../
}
%>
Now there could be one catch to this:
if someone keep hitting back button at some point they will go to starting of the session i.e when someone logged in, and because this was a request and it will be stored in history someone might be able to login again.......
To avoid this:
use Token so no duplicate request will be executed.
Sorry raj3060, but can you tell me what you have posted that I haven't mentioned already?
ASKER
Hi guys, it works now , can u tell me one last thing which is , is there any differemce between creating the session at the top of the Login.jsp file or the doGet method in the java.calass file ?since the login checking is done with me at the .class file after the html form is submited not in the jsp, so basicly im creating the session based on successful login only?do u think i should change the way i do this or it is ok?
>>is there any differemce between creating the session at the top of the Login.jsp file or the doGet method in the java.calass file ?
Effectively no, there's none.
>>im creating the session based on successful login only
You are actually only accessing it based on successful login not creating it. The session is already there if you are sending it from a JSP unless you switch off session creation using this tag at the top of the JSP (and all preceding JSPs)
<%@ page session=false %>
>>do u think i should change the way i do this or it is ok?
if it works then leave it alone! But an improvement would be to use a filter to do this checking as it would remove the need to have this code in every JSP.
Effectively no, there's none.
>>im creating the session based on successful login only
You are actually only accessing it based on successful login not creating it. The session is already there if you are sending it from a JSP unless you switch off session creation using this tag at the top of the JSP (and all preceding JSPs)
<%@ page session=false %>
>>do u think i should change the way i do this or it is ok?
if it works then leave it alone! But an improvement would be to use a filter to do this checking as it would remove the need to have this code in every JSP.
Cheers :-)
If the variable is not found in the session object, redirect to the login page.
Once the user has been logged in, add the flag/string to the session object.
When the user log's out, kill the session by calling session.invalidate() ;