Is destroying the user session enough during logout?

Question

I wanted to understand how we can implement a safe logout method in a website. I am trying a logout page in jsp. Is destroying a session enough when the user clicks logout ? If it isn't what are the steps necessary for the logout, to be a safe operation for the user ?

Answer 1

Yep, once you invalidate session, then the session id is no longer valid, probably the session cookie would be also destroyed, so the session is gone (together with all data stored in session).

In order to logout user (either from servlet or from JSP page):

<% 
   HttpSession s = request.getSession(); 
   s.invalidate();
%>

That was the easy part. Now, if you store some important, user specyfic data in a custom cookie, then make sure you clean them. The same applies to HTML 5 local storage - it has to be manualy cleaned.

Answer 2

Depends on your application requirement what functionality do you want during logout. Apart from refreshing or releasing the user session some times there are few variables set in the session, they should also be released properly.

Answer 3

If you stored any user related cookies, you need to clean-up them as well. In other words, any information that used by your server to identify a user should be cleaned up. If it's only the session - then in you case that is sufficient.

Answer 4

Generally I'd say yes, but it depends on what other information you may be storing client-side. For example, if you have any cookies with sensitive information (hopefully you don't) then you should clear those out as well.

Answer 5

Define "safe".

You'd also likely want to turn off caching so hitting the "Back" button wouldn't show potentially-sensitive information. Other than that, not sure what else you're concerned about.