3 Replies Latest reply on Dec 5, 2005 3:49 PM by Scott Stark

    logout problem ....... please help

    Joseph Hawa Newbie

      Hello, I have a problem with the logout functionality on my web application . it is a simple application that uses DatabaseServerLoginModule to login and uses invalidate() in the application and flushOnSessionInvalidation="true" in jboss-web.xml. also each page in the jsp has <%@ page session="false"%> on the very top and the session is opened (if needed) using HttpSession sess = request.getSession(false); where the sess would be used as session in the page.

      here is the web.xml snippet:

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Protected Pages </web-resource-name>
       <url-pattern>/select.jsp</url-pattern>
       <url-pattern>/dispatcher</url-pattern> <!--is a servlet-->
       <url-pattern>/logout.jsp</url-pattern>
       <url-pattern>/page.jsp</url-pattern>
       <url-pattern>/Input.jsp</url-pattern>
       <url-pattern>/Output.jsp</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>myRole</role-name>
       </auth-constraint>
       </security-constraint>
      


      case:
      1) the user logs into the select.jsp and is redirected to the login.jsp. via j_security_check
      2) after successful login, the user is redirected to the select.jsp
      3) the user does some browsing (on secure pages that are in the url-pattern listed above)
      4) when the user wants to logout, the user clicks on a hyperlink logout, which redirects the user to a servlet to the logout method, see below:

      private String logout(HttpServletRequest req, HttpServletResponse res)
       throws ServletException, IOException {
       HttpSession session = req.getSession(false);
       if(session != null) {
       session.invalidate();
       }
      
       return "login.jsp";
      }
      //this invalidates the session and the session is now null if system.out is used
      

      5) the user is redirected to the login.jsp page. now here is the problem. when I click on the back button using the browser the previous page reappears (even though it is restricted and is in the url-patttern in web.xml)

      why is the page reappearing when clicking back button, even though it is secure? shouldnt it show the secure login.jsp again? am I doing something wrong? Im not sure how can I fix this problem?

      if someone with more experience and knowlegde could help i would really appreciate it.