Logout Servlet not working properly

StackOverflow https://stackoverflow.com/questions/23608647

  •  20-07-2023
  •  | 
  •  

Question

I have written this code for logout servlet but when i click on back button everything is working fine.Kindly suggest

public class LogOut extends HttpServlet {


    private static final long serialVersionUID = 1L;

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
PrintWriter out = response.getWriter();
HttpSession session = request.getSession(true);
System.out.println("logging out");

HttpSession session1=request.getSession();  

session1.invalidate();  

out.print("You are successfully logged out!");  
RequestDispatcher rd= request.getRequestDispatcher("/Logout.jsp");
rd.forward(request, response);

out.close();  


}
}
Was it helpful?

Solution 

Session invalidation is enough for a perfect logout servlet.In order to made logout   working properly we want to add a concept of validating authentication.

HttpSession session = request.getSession(true);

session.invalidate();

Create an Auth object everytime user login.that includes id,username..etc.Then check that authObj ath the beginning of every operation inside servlet.After the session invalidation if you try to do any operation you will not get that authObj.because we don't have username (as an eg:) that we have already kept in session.The reason of unavailability of username is that we have done session invalidation.So we can't proceed to any operation in which we need to be logged in.Then just add a message like this:

PrintWriter out = response.getWriter();

out.println("SESSION FAILED!");

OTHER TIPS

Although there is no perfect way of doing this (User can disable javascript), we can use history.forward() method to force the user to bounce back to the next page. But since browsers do not call the onload method everytime and there are other issues too we have to modify our code 

   <html>
    <head>
    <title>Page One</title>
    <script>
    function backButtonOverride()
    {
      setTimeout("backButtonOverrideBody()", 1);
    }

    function backButtonOverrideBody()
    {

      try {
        history.forward();
      } catch (e) {

      }

      setTimeout("backButtonOverrideBody()", 500);
    }
    </script>
    </head>
    <body onLoad="backButtonOverride()">
    <h1>Page One</h1>
    <a href="page2.html">Move to Page Two</a>
    </body>
    </html>

I would suggest that instead of implementing this code in the page previous to log out page implement this code in the logout page itself and add javascript code to redirect user from logout page to 'login page' just for added security using:-

window.location = url;

In logut servelt

You need to do appropriate like this 

response.addHeader("Cache-Control", "no-cache,no-store,private,must-revalidate,max-stale=0,post-check=0,pre-check=0"); 
response.addHeader("Pragma", "no-cache"); 
response.addDateHeader ("Expires", 0);

If you are using cookies then you need to clear them too

/**
         * Invalidate all cookies by, for each cookie received, 
         * overwriting value and instructing browser to deletes it
         */
        Cookie[] cookies = request.getCookies();
        if (cookies != null && cookies.length > 0) {
            for (Cookie cookie : cookies) {
                cookie.setValue("-");
                cookie.setMaxAge(0);
                response.addCookie(cookie);
            }
        }

In Your Logout.jsp you to add these in head tag

<head>
<meta http-equiv="Cache-Control" content="no-cache,no-store,private,must-revalidate,max-stale=0,post-check=0,pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
</head>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top