hi,
i'm trying to build a web page which permits the user to login before accessing the contents of the site. the login works fine (i did it using jsp), but i am not able to logout properly, that is, when i click on a "logout" hyperlink, it sends me to the proper page, but when i do "back" on my explorer, it gives me the previous page again. so my logout is pointless.

can anyone tell me how to prevent this from happening please?i don't know if i should use jsp, javascript or html to do this.
i need this urgently for my project.
thanks for replying as quickly as possible.

I assume your login assigns a session. If so, than on logout do
session.invalidate() Pushing back on the browser may still show the
site but it should only be a version of the site in the cache. If the user
tries to actually submit anything, or reload the site, it should not work.

I assume your login assigns a session. If so, than on logout do
session.invalidate() Pushing back on the browser may still show the
site but it should only be a version of the site in the cache. If the user
tries to actually submit anything, or reload the site, it should not work.

actually i didn't use session, i did the login using pure java code by matching the username and password from the database, then just put it in the jsp code in my web page.
is session secure?if you have a working piece of code using session can you send me please?i need this urgently for my project. thanks for your help!

on the login page, you create a session as follows:

HttpSession session = request.getSession(true);

this will create a session if none exists.

During the rest of the users activities, all other pages should use the
following:

HttpSession session = request.getSession(false);

This will return null if there is no valid session. So check for this.

If anything happens (i.e. the login fails or you go to the logout page),
do the following:

session.invalidate();

This will invalidate the session so that further getSession calls using false
return null.

This is the basic session process/life cycle.

The login itself, you can still do yourself, and if it fails, just invalidate
the session, as mentioned above. If it succeeds, then continue with the
site, and on the logout page, invalidate the session again.

on the login page, you create a session as follows:

HttpSession session = request.getSession(true);

this will create a session if none exists.

During the rest of the users activities, all other pages should use the
following:

HttpSession session = request.getSession(false);

This will return null if there is no valid session. So check for this.

If anything happens (i.e. the login fails or you go to the logout page),
do the following:

session.invalidate();

This will invalidate the session so that further getSession calls using false
return null.

This is the basic session process/life cycle.

The login itself, you can still do yourself, and if it fails, just invalidate
the session, as mentioned above. If it succeeds, then continue with the
site, and on the logout page, invalidate the session again.

i tried using the HttpSession session = request.getSession(true);
i just have to put it between <% %> at the start of the page right? well its giving me the error: duplicate session variable. am very new to jsp, sorry if i seem a bit dumb ;)

First you check for the User name and password submitted from the login page , after validating the values submitted by the user , set a flag if the user is valid (successful login)
Like session.setAttribute("flag","true");
then put a condition down to forward the page .
your logout button should take you to the page where session.invalidate(); get called
now your logout function should happen

l

Hi to all. I have tried the code:

session.invalidate();

But still i am able to archive my solution.
When i click back button. Its still going to the previous page.

Plz any one can help me on this.
Advance thanks.

Have you tried "reloading" that page, or is it simply a static version cached by the browser?

If you are able to "reload" the page, then I am willing to bet that you are using getSession(true) to retrieve the session (in which case you are creating a new session if one does not already exist).

The static, cached page you can't really do anything about (from the server). You can set response headers and pragmas (Google no-cache and expires) to try and prevent it, but the browser does not have to follow these. Or you can use some JavaScript to play with the history, but the browser may have this deactivated.

Hi Masijade thanks for your reply. I am using only an static page. I want to use only userName and password fields only as you can see some mailling websites. How can i get that? Plz can you help me.

This article has been dead for over six months. Start a new discussion instead.