CODEWITHSUNDEEP
jsp
Gaurav
Gaurav

Reputation: 103

How to invalidate the session in jsp

I am making a project using MVC framework , where in i have created session on multiple pages and on every page there is an anchor tag displaying (logout) where it redirect user to the 1st page (Login Page). What i am trying to do is when user is redirected to the login page it checks that whether there is already an existing session if yes, then it Invalidate's the session and user has to login again. But my code doesn't work after invalidating the session when i click on submit without filling username/password it still takes the old value...please tell me where am i going wrong??

         <jsp:useBean id="theBean" class="pack.java.MyModel"/>
        <jsp:setProperty name="theBean" property="name" param="userName"/>
         <jsp:setProperty name="theBean" property="pass" param="userPass"/>
         <%@ taglib uri="/WEB-INF/jsp2/taglib1.tld" prefix="easy" %>
         <html>
        <head>

        </head>
        <body >
        <form  method="post">
        <h1>Login please</h1>
        Enter username : <input type = text  name = userName  >
          </br>
        Enter password : <input type = password  name = userPass  >
       </br>
        <input type = submit name = submit value = submit>
        </br>
        <%

          HttpSession session=request.getSession(false);

        if(session!=null)
         {
          session.invalidate();
         }
          String btn = request.getParameter("submit");
         if(btn!=null)
      {
       %>

        <easy:myTag/>
       <% 

       }
       %>
    </form>
  </body>
</html>

Upvotes: 2

Views: 17160

Answers (2)

Analyst
Analyst

Reputation: 945

Your prob is that you are calling invalidate way after the response header. Once the jsp has been converted to a servlet, the html code is before those lines of commands. Try putting it before the <hmtl> tag.

Behind the scenes, the system extracts a user ID from a cookie or attached URL data, then uses that ID as a key into a table of previously created HttpSession objects. But this is all done transparently to the programmer: you just call getSession. If no session ID is found in an incoming cookie or attached URL information, the system creates a new, empty session. And, if cookies are being used (the default situation), the system also creates an outgoing cookie named JSESSIONID with a unique value representing the session ID. So, although you call getSession on the request, the call can affect the response. Consequently, you are permitted to call request.getSession only when it would be legal to set HTTP response headers: before any document content has been sent (i.e., flushed or committed) to the client.

As stated in this file: http://www.java-programming.info/tutorial/pdf/csajsp2/08-Session-Tracking.pdf

From this site: http://courses.coreservlets.com/Course-Materials/csajsp2.html

For more general info:

Discarding Session Data

When you are done with a user’s session data, you have three options.

• Remove only the data your servlet created. You can call removeAttribute("key") to discard the value associated with the specified key. This is the most common approach.

• Delete the whole session (in the current Web application). You can call invalidate to discard an entire session. Just remember that doing so causes all of that user’s session data to be lost, not just the session data that your servlet or JSP page created. So, all the servlets and JSP pages in a Web application have to agree on the cases for which invalidate may be called.

• Log the user out and delete all sessions belonging to him or her. Finally, in servers that support servlets 2.4 and JSP 2.0, you can call logout to log the client out of the Web server and invalidate all sessions (at most one per Web application) associated with that user. Again, since this action affects servlets other than your own, be sure to coordinate use of the logout command with the other developers at your site.

Upvotes: 0

venergiac
venergiac

Reputation: 7717

It depends from the framework

the code

<%
session.invalidate();
%>

invalidate a session, but what the "easy:myTag" does?

pute the session invalidate in a separate page; if it works you have to investigate the custom tag myTag.

Upvotes: 2

Related Questions