I got around this by just removing j_password and j_username from the sessionid.

HttpSession sessionid = request.getSession(false);
sessionid.removeValue("j_password");
sessionid.removeValue("j_username");

"Dunlop, Aaron" wrote:

 

I seem to be having a similar problem. My app also uses session information to track
logins, and calls session.invalidate() when a user logs out.

So far I'm seeing that if a user starts up a new browser, logs in, logs out, and attempts to login again as a different user, they get the session from their first login as if they

had never logged out. Logging off again appears to fix the problem, and subsequent logins
from the browser work fine. The problem recurs when a new browser is started.

I don't see any references to this problem in Bugzilla, so I'll dive into the code and
see what I can find. But if by chance someone has already fixed this problem somewhere,
please let me know.

-----------
Environment:

Server:
Tomcat 3.3m1 standalone on Solaris 2.7
IBM JDK 1.2.2

Client:
NT 4.0 SP 5
IE 5.5 or Netscape 4.7 - same symptoms

Thanks,
Aaron Dunlop
[EMAIL PROTECTED]

------------------------------------------------------------------------------
From: [EMAIL PROTECTED]

Hi,

I seem to be having a problem with session.invalidate(). I'm using this for
users to log out of my web site but it seems to take two attemps before the user
is properly logged out!

I am using JDBCRealms for authentication BTW.

I have set up a simple four page web site:

test/jsp/index.jsp ---- front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>

<h2><a href="protected/index.jsp">Login</a><h2>

</body>
</html>

test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>

<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<h2>you are currently logged in as <%= request.getRemoteUser() %></h2>
<h3><a href="logout.jsp">Logout</a></h3>

</body>
</html>

test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<%
     session.invalidate ();
%>
<%=request.getSession (false)%><br>
<%=request.toString()%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>

<a href="../index.jsp">home</a>.
</body>
</html>

test/jsp/login/login.jsp --- login page used by FORM based authentication.
<html>
<body>
<h1>Login page </h1>

<form method="POST" action="j_security_check" >
 Username: <input type="text" name="j_username"><br>
 Password: <input type="password" name="j_password"><br>
 <br>
 <input type="submit" value="login" name="j_security_check">
</form>

</body>
</html>

The problem occurs like this:
The first time around the request for protected/index.jsp is detected and you
have to log in.
>From there, access the logout page which does a <% session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected page from here ------
straight in as still authenticated.
Accessing the log out page again, actually logs out this time!

Is this a known problem? Any possible work arounds?

Thanks,
Sam.
PS. This work fine on TC3.2.1

Reply via email to