You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Dunlop, Aaron" <Aa...@dat.com> on 2001/03/06 23:11:59 UTC
Re: TC3.3m1 Possible bug with session.invalidate
I seem to be having a similar problem. My app also uses session information
to track
logins, and calls session.invalidate() when a user logs out.
So far I'm seeing that if a user starts up a new browser, logs in, logs out,
and attempts to login again as a different user, they get the session from
their first login as if they
had never logged out. Logging off again appears to fix the problem, and
subsequent logins
from the browser work fine. The problem recurs when a new browser is
started.
I don't see any references to this problem in Bugzilla, so I'll dive into
the code and
see what I can find. But if by chance someone has already fixed this problem
somewhere,
please let me know.
-----------
Environment:
Server:
Tomcat 3.3m1 standalone on Solaris 2.7
IBM JDK 1.2.2
Client:
NT 4.0 SP 5
IE 5.5 or Netscape 4.7 - same symptoms
Thanks,
Aaron Dunlop
aaron.dunlop@dat.com
----------------------------------------------------------------------------
--
From: Sam.Cooper@scisys.co.uk
Hi,
I seem to be having a problem with session.invalidate(). I'm using this for
users to log out of my web site but it seems to take two attemps before the
user
is properly logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp ---- front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy
server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<h2><a href="protected/index.jsp">Login</a><h2>
</body>
</html>
test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy
server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<h2>you are currently logged in as <%= request.getRemoteUser() %></h2>
<h3><a href="logout.jsp">Logout</a></h3>
</body>
</html>
test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy
server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<%
session.invalidate ();
%>
<%=request.getSession (false)%><br>
<%=request.toString()%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<a href="../index.jsp">home</a>.
</body>
</html>
test/jsp/login/login.jsp --- login page used by FORM based authentication.
<html>
<body>
<h1>Login page </h1>
<form method="POST" action="j_security_check" >
Username: <input type="text" name="j_username"><br>
Password: <input type="password" name="j_password"><br>
<br>
<input type="submit" value="login" name="j_security_check">
</form>
</body>
</html>
The problem occurs like this:
The first time around the request for protected/index.jsp is detected and
you
have to log in.
>From there, access the logout page which does a <% session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected page from here
------
straight in as still authenticated.
Accessing the log out page again, actually logs out this time!
Is this a known problem? Any possible work arounds?
Thanks,
Sam.
PS. This work fine on TC3.2.1
Re: TC3.3m1 Possible bug with session.invalidate
Posted by Thomas Riemer <to...@58k.com>.
I got around this by just removing j_password and j_username from the
sessionid.
HttpSession sessionid = request.getSession(false);
sessionid.removeValue("j_password");
sessionid.removeValue("j_username");
"Dunlop, Aaron" wrote:
>
>
> I seem to be having a similar problem. My app also uses session
> information to track
> logins, and calls session.invalidate() when a user logs out.
>
> So far I'm seeing that if a user starts up a new browser, logs in,
> logs out, and attempts to login again as a different user, they get
> the session from their first login as if they
>
> had never logged out. Logging off again appears to fix the problem,
> and subsequent logins
> from the browser work fine. The problem recurs when a new browser is
> started.
>
> I don't see any references to this problem in Bugzilla, so I'll dive
> into the code and
> see what I can find. But if by chance someone has already fixed this
> problem somewhere,
> please let me know.
>
> -----------
> Environment:
>
> Server:
> Tomcat 3.3m1 standalone on Solaris 2.7
> IBM JDK 1.2.2
>
> Client:
> NT 4.0 SP 5
> IE 5.5 or Netscape 4.7 - same symptoms
>
> Thanks,
> Aaron Dunlop
> aaron.dunlop@dat.com
>
>
> -----------------------------------------------------------------------------
>
> From: Sam.Cooper@scisys.co.uk
>
> Hi,
>
> I seem to be having a problem with session.invalidate(). I'm using
> this for
> users to log out of my web site but it seems to take two attemps
> before the user
> is properly logged out!
>
> I am using JDBCRealms for authentication BTW.
>
> I have set up a simple four page web site:
>
> test/jsp/index.jsp ---- front page
> <%
> response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
> response.setHeader("Pragma","no-cache"); //HTTP 1.0
> response.setDateHeader ("Expires", 0); //prevents caching at the proxy
> server
> %>
> <html>
> <body>
> <%=request.toString()%><br>
> <%=request.getSession (false)%><br>
> <%=request.getRemoteUser()%><br>
> <%=request.getUserPrincipal()%><br>
>
> <h2><a href="protected/index.jsp">Login</a><h2>
>
> </body>
> </html>
>
> test/jsp/protected/index.jsp --- protected page
> <%
> response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
> response.setHeader("Pragma","no-cache"); //HTTP 1.0
> response.setDateHeader ("Expires", 0); //prevents caching at the proxy
> server
> %>
> <html>
> <body>
>
> <%=request.toString()%><br>
> <%=request.getSession (false)%><br>
> <h2>you are currently logged in as <%= request.getRemoteUser() %></h2>
>
> <h3><a href="logout.jsp">Logout</a></h3>
>
> </body>
> </html>
>
> test/jsp/protected/logout.jsp --- logout page
> <%
> response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
> response.setHeader("Pragma","no-cache"); //HTTP 1.0
> response.setDateHeader ("Expires", 0); //prevents caching at the proxy
> server
> %>
> <html>
> <body>
> <%=request.toString()%><br>
> <%=request.getSession (false)%><br>
> <%=request.getRemoteUser()%><br>
> <%=request.getUserPrincipal()%><br>
> <%
> session.invalidate ();
> %>
> <%=request.getSession (false)%><br>
> <%=request.toString()%><br>
> <%=request.getRemoteUser()%><br>
> <%=request.getUserPrincipal()%><br>
>
> <a href="../index.jsp">home</a>.
> </body>
> </html>
>
> test/jsp/login/login.jsp --- login page used by FORM based
> authentication.
> <html>
> <body>
> <h1>Login page </h1>
>
> <form method="POST" action="j_security_check" >
> Username: <input type="text" name="j_username"><br>
> Password: <input type="password" name="j_password"><br>
> <br>
> <input type="submit" value="login" name="j_security_check">
> </form>
>
> </body>
> </html>
>
> The problem occurs like this:
> The first time around the request for protected/index.jsp is detected
> and you
> have to log in.
> >From there, access the logout page which does a <%
> session.invalidate();%>.
> Then back to jsp/index.jsp, try and access the protected page from
> here ------
> straight in as still authenticated.
> Accessing the log out page again, actually logs out this time!
>
> Is this a known problem? Any possible work arounds?
>
> Thanks,
> Sam.
> PS. This work fine on TC3.2.1
Re: TC3.3m1 Possible bug with session.invalidate
Posted by William Barker <wb...@wilshire.com>.
Re: TC3.3m1 Possible bug with session.invalidateThe place to look is src/share/org/apache/tomcat/modules/session/SimpleSessionStore.java. Or, better, get the latest version of this file since the bug was fixed about two weeks ago.
----- Original Message -----
From: Dunlop, Aaron
To: 'tomcat-dev@jakarta.apache.org'
Sent: Tuesday, March 06, 2001 2:11 PM
Subject: Re: TC3.3m1 Possible bug with session.invalidate
I seem to be having a similar problem. My app also uses session information to track
logins, and calls session.invalidate() when a user logs out.
So far I'm seeing that if a user starts up a new browser, logs in, logs out, and attempts to login again as a different user, they get the session from their first login as if they
had never logged out. Logging off again appears to fix the problem, and subsequent logins
from the browser work fine. The problem recurs when a new browser is started.
I don't see any references to this problem in Bugzilla, so I'll dive into the code and
see what I can find. But if by chance someone has already fixed this problem somewhere,
please let me know.
-----------
Environment:
Server:
Tomcat 3.3m1 standalone on Solaris 2.7
IBM JDK 1.2.2
Client:
NT 4.0 SP 5
IE 5.5 or Netscape 4.7 - same symptoms
Thanks,
Aaron Dunlop
aaron.dunlop@dat.com
------------------------------------------------------------------------------
From: Sam.Cooper@scisys.co.uk
Hi,
I seem to be having a problem with session.invalidate(). I'm using this for
users to log out of my web site but it seems to take two attemps before the user
is properly logged out!
I am using JDBCRealms for authentication BTW.
I have set up a simple four page web site:
test/jsp/index.jsp ---- front page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<h2><a href="protected/index.jsp">Login</a><h2>
</body>
</html>
test/jsp/protected/index.jsp --- protected page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<h2>you are currently logged in as <%= request.getRemoteUser() %></h2>
<h3><a href="logout.jsp">Logout</a></h3>
</body>
</html>
test/jsp/protected/logout.jsp --- logout page
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
<html>
<body>
<%=request.toString()%><br>
<%=request.getSession (false)%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<%
session.invalidate ();
%>
<%=request.getSession (false)%><br>
<%=request.toString()%><br>
<%=request.getRemoteUser()%><br>
<%=request.getUserPrincipal()%><br>
<a href="../index.jsp">home</a>.
</body>
</html>
test/jsp/login/login.jsp --- login page used by FORM based authentication.
<html>
<body>
<h1>Login page </h1>
<form method="POST" action="j_security_check" >
Username: <input type="text" name="j_username"><br>
Password: <input type="password" name="j_password"><br>
<br>
<input type="submit" value="login" name="j_security_check">
</form>
</body>
</html>
The problem occurs like this:
The first time around the request for protected/index.jsp is detected and you
have to log in.
>From there, access the logout page which does a <% session.invalidate();%>.
Then back to jsp/index.jsp, try and access the protected page from here ------
straight in as still authenticated.
Accessing the log out page again, actually logs out this time!
Is this a known problem? Any possible work arounds?
Thanks,
Sam.
PS. This work fine on TC3.2.1