How to expire session in java?

Question

I want to expire a session of user if he successed to login and try to cause harm to my web site, If i detect the attack, I redirect him to Error Page, and want to expire his session.How can I make it?

Answer 1

You can invalidate his session, but that's not enough. If that's all you do, he can immediately login again to create a new session. Or zap his session cookie and start again.

You've also got to either disable or remove his account entirely, or remove the access rights that allow him to do whatever it is you are trying to prevent. (And in the extreme case, you may also need to start blocking access based on IP addresses, etc.)

BUT how can i prevent him to go back to the page he was already in.

You cannot prevent him using "back", or reentering the URL from his browser history, or by typing it into the navigation bar.

What you need to do is stop him fetching the page from the server. If he is not logged in, or he doesn't have the relevant access rights, then your server should respond with the "Unauthorized" or "Permission denied" status code whenever he tries to view the page ... or perform other request that should not be allowed.

Don't just rely on stopping him seeing the page. You also need to implement server-side access controls on the requests that can be made from the page.

Answer 2

the session has an invalidate method.

session.invalidate();

Look at the API

http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/docs/1.6/api/javax/servlet/http/HttpSession.html

you probably want to do more than just log out the user; maybe disable the account, log the incident, etc...

For getting the user to the error page, you can use either forward or redirect. If it makes sense, you should use

response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Stop doing bad things");

check out

http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/docs/1.6/api/index.html