Announcement Announcement Module
Collapse
No announcement yet.
Help! session.invalidate() doesn't work? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help! session.invalidate() doesn't work?

    Hi, I followed the codes posted on spring forum (http://forum.springframework.org/arc...p/t-35618.html) and wrote the following in my logout page to try to kill the session:

    try{
    if (request.getRemoteUser() != null) {
    session.invalidate();
    Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY _HASHED_REMEMBER_ME_COOKIE_KEY, null);
    terminate.setMaxAge(0);
    terminate.setPath("/");
    response.addCookie(terminate);
    SecurityContextHolder.clearContext();
    }
    }catch(Exception e){
    LogFactory.getLog(PageContext.class).error("Error logging out: ", e);
    }

    response.sendRedirect(request.getContextPath() + "/AdminLogin.jsp");
    but when it reached the index.htm page, I can still press the back button to go back to the previous page as if I have not been logged out. What should I do?
    Last edited by kuanfai; May 4th, 2007, 06:01 AM.

  • #2
    Ok, you can go back but if you refresh the page can you still access it?
    Last edited by karldmoore; Aug 29th, 2007, 12:24 PM.

    Comment


    • #3
      Originally posted by karldmoore View Post
      Ok, you can go back but if you refresh the page can you still access it?
      Yes, even after I refresh the page I can still access the page.

      Comment


      • #4
        Why do it in a jsp page? Isn't it easier to redirect to the acegi logout url (/j_acegi_logout)? I think that that is a better solution and cleans up everything you need.

        Comment


        • #5
          Yes indeed, I'd presume this is what TokenBasedRememberMeServices does anyway. If only I could get at the source and have a look.
          Last edited by karldmoore; Aug 29th, 2007, 12:24 PM.

          Comment


          • #6
            The sourcecode is in the Acegi package, it is a default class. When the service is registered as a logouthandler the cookie is being cleared for you. It is just a matter of configuring the correct logouthandlers.

            I would like to see his acegi configuration.

            Comment


            • #7
              Originally posted by mdeinum View Post
              The sourcecode is in the Acegi package, it is a default class. When the service is registered as a logouthandler the cookie is being cleared for you. It is just a matter of configuring the correct logouthandlers.
              Yes, what I meant to saw was if only I code look at the source code as I don't have it on this computer and I can't get access to download it .

              Originally posted by mdeinum View Post
              I would like to see his acegi configuration.
              Good plan, any chance we can see the configuration?
              Last edited by karldmoore; Aug 29th, 2007, 12:24 PM.

              Comment


              • #8
                hi, the problem is the same problem happenes when i use the standard acegi way to logout - the back button will lead the explorer returning to the page before logout. even though, i made the modifications to use the standard j_acegi_logout mechanism:

                Code:
                	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
                		<property name="filterInvocationDefinitionSource">
                			<value>
                				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                				PATTERN_TYPE_APACHE_ANT
                				/**=httpSessionContextIntegrationFilter,adminLogoutFilter.....
                			</value>
                		</property>
                	</bean>
                	<bean id="adminLogoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
                		<constructor-arg value="/AdminLogin.jsp"/>
                		<constructor-arg>
                			<list>
                				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
                			</list>
                		</constructor-arg>
                		<property name="filterProcessesUrl" value="/j_acegi_logout"/>
                	</bean>
                and Admin.jsp is:
                Code:
                <HTML>
                <HEAD>
                <TITLE>Admin Homepage</TITLE>
                </HEAD>
                <BODY>
                <P>admin login ok</P>
                <a href="j_acegi_logout"><< Log out</a>
                </BODY>
                </HTML>
                the result is when it reaches the AdminLogin.jsp page, if i press the back button, it will back to Admin.jsp again. is it supposed to show page is expired, isn't it?
                Last edited by kuanfai; May 6th, 2007, 10:05 PM.

                Comment


                • #9
                  I too ran into this same behavior. It seemed that no matter what my configuration, I could always access the previous page after a logout. I nearly chalked it up to an oddity of the JSF/Acegi combination I was using. However, out of curiosity, I attempted the same thing using the acegi-security-sample-tutorial. Guess what, it does the same thing in the tutorial. :-)

                  I'm not overly concerned about a user accessing the previous page from their session. No other secured pages are accessible and a refresh of the "post logout" page prevents access to the previous page, so it seems things are still locked down tight. However, I am curious to know what other developers have done (if anything) to prevent this behavior, and if they think this is a potential security hole.

                  Comment


                  • #10
                    I think the problem lies in the fact that the back button returns to the previous accessed page, which will come from the cache of the web-browser, no request to the server is being issued.

                    Comment


                    • #11
                      I see, and a quick test confirmed you're right. I'm a bit new to web programming, but I suppose this back button issue would be a problem regardless of the security framework.

                      Thanks!

                      Comment

                      Working...
                      X