Re: logout problem when using back button

From: Alex <alexander1113_at_email.com>
Date: 8 Jul 2003 07:20:55 -0700
Message-ID: <e80bd497.0307080620.7aadf9d8_at_posting.google.com>


Try giving the user a unique token id, like the session id. Write it to your log in page and at the same time store that in a static hash table, when the user logs in it will call your servlet, your servlet will check if the user is valid, and after, check the hashtable, if that key is there, then delete the key this way you avoid memory problems. If the user logs out and then presses the back button to hit your log in page, the old values will be sent along with the old token, since when the user logged in you deleted the token, then the log in will be invalid.

Alex
humberto.rios_at_byu.edu (humberto rios) wrote in message news:<a7885d05.0306230726.7ed48914_at_posting.google.com>...
> Problem:
> I am writing a authentication login/logout application using JDev and
> BC4J. It works fine but if I logout and then use the back browser to
> go back the login action gets called again and logges the user again.
> It should not remember which user it is. I try using javascript to
> disallow the back button but it only works one pack back. I have
> tried invalidading the session like:
> request.getSession().invalidate(). I also remove the form after the
> login action so it would not remember the name and password:
> // Remove the obsolete form bean
> if (mapping.getAttribute() != null) {
> if ("request".equals(mapping.getScope())) {
> System.out.println("Removing form from request so not carry
> forward");
> request.removeAttribute(mapping.getAttribute());
> }
> else {
> System.out.println("Removing form from session so not carry
> forward");
> HttpSession session = request.getSession();
> session.removeAttribute(mapping.getAttribute());
> }
> }
>
> I have also use the request.getSession(false).removeAttribute(LOGIN),
> false instead of true
> None has made a difference. I took a look at several BC4J examples on
> the web and they all have the same problem.
>
> Header page included in each jsp to check if user loggedin or not to
> provide icons to login or logout.
>
> <logic:present name="UserLoggedIn" scope="session">
> <a href="signout.do" onmouseover="img_on('signout')"
> onmouseout="img_off
> ('signout')"><img alt="<bean:message key='logout.title'/>"
> src="<bean:message key='images.toolbar.signout'/>" border="0"
> name="img_signout"></a>
> </logic:present>
> <logic:notPresent name="UserLoggedIn" scope="session">
> <a href="login.do" onmouseover="img_on('signin')"
> onmouseout="img_off('signin')"><img alt="<bean:message
> key='login.title'/>" src="<bean:message key='images.toolbar.signin'/>"
> border="0" name="img_signin"></a>
> </logic:notPresent>
>
> The signout action calls another class in to remove user variable from
> session:
>
> private static final String LOGIN = "UserLoggedIn";
> ...
> public static void signOut(HttpServletRequest request) {
> request.getSession(true).removeAttribute(LOGIN);
>
> The login action puts user name into session:
> public static void signIn(HttpServletRequest request, String
> username) {
> request.getSession(true).setAttribute(LOGIN,username);
>
> the following are the actions on struts-config.xml
>
> <action path="/login"
> type="edu.byu.ce.orion.registration.controller.actions.LoginAction"
> input="/yp.jsp"
> validate="true"
> name="LoginForm"
> scope="request">
> <forward name="success" path="/welcome.jsp" />
> </action>
>
> <!-- Signout from the store -->
> <action path="/signout"
> type="edu.byu.ce.orion.registration.controller.actions.SignOutAction">
> <!--<set-property property="application" value="ToyStore"/>-->
> <!--<set-property property="releasemode" value="Stateful"/>-->
> <forward name="success" path="goodbye.jsp"/>
> </action>
Received on Tue Jul 08 2003 - 16:20:55 CEST

Original text of this message