Jsp Logout page


Hi guys,
 I need someone to tell me how to create a logout page for my jsp login account:

I have a Login.jsp page as follow:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<%-- page settings via directives--%>
<%@ page errorPage = "videoErrorPage.jsp" %>
<%@ page import = "java.util.*" %>
<%@ page import = "video.*" %>

<%-- Customer bean used to get all item data --%>
<jsp:useBean id = "customer" scope = "page"
   class = "video.Customer" />

   <head>
      <title>Login Page</title>
   </head>
   <body >
   <% if(request.getParameter("Login")!=null)
         {
     if( request.getParameter("ID") == customer.getIdNum() )
     if( request.getParameter("pass") == customer.getPass() )
     {
             response.sendRedirect("url");
     }}
     else
     {
   %>
      <h2 align=center>Account Login</h2>
      <form action=password.jsp method=get>
      <table width=60% align=center bgcolor=#E0E0E border=1>
            <tr>
               <th colspan =2>Enter Customer Password</th>
            </tr>
            <tr>
  <td>CustomerID</td><td><input type=text name=ID ></td>
            </tr>
            <tr>
  <td>Password</td><td><input type=pass name=pass ></td>
            </tr>
             <input type =hidden name=Login value=yes>
            <tr>
            <td colspan= 2 align=center><input type=Submit value=login>&nbsp;&nbsp;&nbsp;<input type=reset value=Exit></td>
            </tr>            
      </table>
      </form>
      <p>&nbsp</p>
      <p><center><a href=CustomerDetails.jsp>Return to catalog</a>
   <% }  %>
      </body></html>


How can i create a very simple logout page so that when i logout through the logout page i will be unable to access the other pages (which the logged on users usaly have access to) buy copying the url and pasting it in the browser? Any ideas using the session variable?






Dj_majAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bloodredsunCommented:
Use a filter to check for a variable stored in the session that shows that they have been logged in.
If the variable is not found in the session object, redirect to the login page.
Once the user has been logged in, add the  flag/string to the session object.
When the user log's out, kill the session by calling session.invalidate() ;
bloodredsunCommented:
You don't have to use a filter if you're not happy to use them. You can just put these lines of code in each page you want protected

<%
String loggedIn = (String) session.getAttribute("loggedIn") ;
if ( loggedIn == null ){
    response.sendRedirect("login.jsp") ;
}
%>
Dj_majAuthor Commented:
so in the loggin page should i create a session like this:
HttpSession session = request.getSession(true);
to give the sesion a vlaue?
and what would the ("loggedIn") be ?
sorry as i have not used jsp for a while and trying to use it now.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

bloodredsunCommented:
>> so in the loggin page should i create a session like this:
>>HttpSession session = request.getSession(true);

No, you don't need to. The session object is an implicit one (like request) in a jsp and is available for you. You don't need to create another one.

>>and what would the ("loggedIn") be ?
Anything. Typically a String such as "loggedIn" will do. In the login page, when the user has been authenticated, you do this

session.setAttribute("loggedIn" , "loggedIn") ;

this puts this string in the session object as the named attribute "loggedIn" . You can retrieve it by calling

String sessLoggedIn = (String) session.getAttribute("loggedIn") ;

If the value of sessLoggedIn is null, then there is no attribute of that name present in the session, i.e. the user has not been logged in.
Dj_majAuthor Commented:
Hi i've been working on these pages and they kind work between the jsp pages but because all my login checking is done in the .class files which are compiled seperetly im getting an exception error when i add the following line :

String loggedIn = (String) session.getAttribute("loggedIn") ;
if ( loggedIn == null )
{
 response.sendRedirect("../login.jsp") ;
}

I ve places this line in different places such as the doGet method , it compiles with textpad but when i run in the server it throws error . Can u tell me how to fix this problem please?
bloodredsunCommented:
First you should always tell me what the error is and print the first couple of lines in the stacktrace as it makes it a lot easier!

If you are using doGet I assume that you are creating a servlet. In servlets, unlike JSPs, you do need to create the session object from the request object, e.g.

//normal imports
import javax.servlet.http.HttpSession;

//servlet name etc

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
     HttpSession session = request.getSession();//create session
//use the session
   
      

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
raj3060Commented:
You are getting error because after you logout session expires and youm try to access null object. Do it this way:

if (session.getAttribute("loggedIn")  == null )
{
 response.sendRedirect("../login.jsp") ;
}

Also if you are using servlet, then use this code in the biginning of the servlet, this way if you hit back button and there was any request in the history it won't get executed after logout, if you don't check this in servlet, and someone hits back button they will still execute th request in the browser history:

something like this:

in servelt:

if (session.getAttribute("loggedIn")  == null )
{
 response.sendRedirect("../login.jsp") ;
}
else {
// rest servlet code goes here
}

At the top of every JSP page

<%
if (session.getAttribute("loggedIn")  == null )
{
 response.sendRedirect("../login.jsp") ;
}

%>

Now there could be one catch to this:
if someone keep hitting back button at some point they will go to starting of the session i.e when someone logged in, and because this was a request and it will be stored in history someone might be able to login again.......

To avoid this:

use Token so no duplicate request will be executed.
bloodredsunCommented:
Sorry raj3060, but can you tell me what you have posted that I haven't mentioned already?
Dj_majAuthor Commented:
Hi guys, it works now , can u tell me one last thing which is , is there any differemce between creating the session at the top of the Login.jsp file or the doGet method in the java.calass file ?since the login checking is done with me at the .class file after the html form is submited not in the jsp, so basicly im creating the session based on successful login only?do u think i should change the way i do this or it is ok?
bloodredsunCommented:
>>is there any differemce between creating the session at the top of the Login.jsp file or the doGet method in the java.calass file ?

Effectively no, there's none.

>>im creating the session based on successful login only

You are actually only accessing it based on successful login not creating it. The session is already there if you are sending it from a JSP unless you switch off session creation using this tag at the top of the JSP (and all preceding JSPs)

<%@ page session=false %>

>>do u think i should change the way i do this or it is ok?

if it works then leave it alone! But an improvement would be to use a filter to do this checking as it would remove the need to have this code in every JSP.
bloodredsunCommented:
Cheers :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JSP

From novice to tech pro — start learning today.