You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Martin O'Shea <ap...@dsl.pipex.com> on 2011/10/12 22:48:50 UTC
Application not logging out properly
Hello
I'm using Apache Tomcat 6.0.26 for an application where the majority of the
content is hidden behind a page requiring authenticated login. This appears
to work fine but upon logout, I find I am able to browse back through some
of the pages visited in the session.
As far as I'm aware, and in other applications I've seen and worked on, this
shouldn't happen.
I'm using a listener to detect sessions created and destroyed and this seems
to be fine because I'm recording events in the database when these happen.
My log out instruction is present on most pages as follows:
<a href = "/myApp/jsp/index/index.jsp?logoff=true" title = "Log out.">
And in the index.jsp cited above, I have code:
<%
// Log out.
if (request.getParameter("logoff") != null) {
session.invalidate();
response.sendRedirect("/myApp/");
return;
}
%>
Which returns a user to the login page.
The problem is only occasional and I can see no pattern to it, but it
happens under two different installations of version 6.0.26 on different
machines. So either this version is the cause which I don't believe because
other applications seems unaffected, or my application has an issue which I
can't find.
Any ideas?
Thanks
Martin O'Shea.
Re: Application not logging out properly
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/12/2011 6:01 PM, Martin O'Shea wrote:
> I'm not disagreeing and have set a filter to this end. But it
> doesn't explain why I can see the pages after session
> invalidation.
Your web browser has an on-disk cache. It's reading the files from
there. If you watch your web server logs (or observe what the browser
does using httpfox, fiddler, etc.) you will likely see that there is no
server interaction whatsoever.
The client has no idea that the session has expired and that somehow,
it should expire all the pages in it's cache.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6WDs8ACgkQ9CaO5/Lv0PA7AACglHXo/DVOTXoXVR1eKbHgboFD
UUoAn0GH6FdBZLSJg24C853+SkzrEs+r
=Q+Ng
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Well, there's no intermediary: I'm seeing this in NetBeans 7.0.1 with AT 6.0.26. and if my NoCache_Filter contains this:
// Force browser not to cache pages.
HttpServletResponse hsr = (HttpServletResponse) response;
hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
hsr.setDateHeader("Expires", 0); // Proxies.
With the settings in web.xml as follows:
<filter-mapping>
<filter-name>NoCacheFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
So be it.
I can always edit the <url-pattern> to exclude certain pages anyway.
Thanks.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 12 Oct 2011 23 05
To: Tomcat Users List
Subject: RE: Application not logging out properly
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Application not logging out properly
> But it doesn't explain why I can see the pages after session invalidation.
It certainly does. If the browser (or some other intermediary) is caching the pages, they will be available for display. Try sniffing the network traffic at both the browser and Tomcat ends to see who has the data.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Application not logging out properly
> But it doesn't explain why I can see the pages after session invalidation.
It certainly does. If the browser (or some other intermediary) is caching the pages, they will be available for display. Try sniffing the network traffic at both the browser and Tomcat ends to see who has the data.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
I'm not disagreeing and have set a filter to this end. But it doesn't explain why I can see the pages after session invalidation.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 12 Oct 2011 22 59
To: Tomcat Users List
Subject: Re: Application not logging out properly
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 10/12/2011 5:30 PM, Caldarale, Charles R wrote:
>> From: Martin O'Shea [mailto:appy74@dsl.pipex.com] Subject: RE:
>> Application not logging out properly
>
>> I would rather avoid forcing the browser to reload each page via the
>> appropriate headers.
>
> Then they're going to be available in the browser cache until the
> browser chooses to discard them. You can't have it both ways.
The OP could set expires headers that are relatively short-lived. That way, the client /should/ request a fresh page after, say, 30 minutes or whatever the session timeout is set to.
But Martin, I agree with Chuck: you can't have it both ways.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6WDZsACgkQ9CaO5/Lv0PCtGwCfdNJLAT8arkYg3n5TNrgtoFne
wFQAnAhmK2MqMBEMacc4a6zRAyTfKC/1
=s6fC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Application not logging out properly
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 10/12/2011 5:30 PM, Caldarale, Charles R wrote:
>> From: Martin O'Shea [mailto:appy74@dsl.pipex.com] Subject: RE:
>> Application not logging out properly
>
>> I would rather avoid forcing the browser to reload each page via
>> the appropriate headers.
>
> Then they're going to be available in the browser cache until the
> browser chooses to discard them. You can't have it both ways.
The OP could set expires headers that are relatively short-lived. That
way, the client /should/ request a fresh page after, say, 30 minutes
or whatever the session timeout is set to.
But Martin, I agree with Chuck: you can't have it both ways.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6WDZsACgkQ9CaO5/Lv0PCtGwCfdNJLAT8arkYg3n5TNrgtoFne
wFQAnAhmK2MqMBEMacc4a6zRAyTfKC/1
=s6fC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Well, it seems that using a no cache filter works for Chrome, Firefox and
IE. But Opera and Safari don't obey the rules at all.
-----Original Message-----
From: cjderham@gmail.com [mailto:cjderham@gmail.com] On Behalf Of chris
derham
Sent: 12 Oct 2011 23 22
To: Tomcat Users List
Subject: Re: Application not logging out properly
>> Then they're going to be available in the browser cache until the
>> browser chooses to discard them. You can't have it both ways.
>
>The OP could set expires headers that are relatively short-lived. That
>way, the client /should/ request a fresh page after, say, 30 minutes or
>whatever the session timeout is set to.
>
>But Martin, I agree with Chuck: you can't have it both ways.
I was going to suggest that you could use the ETag to create tags composed
of the last edit time and the session-id. That way the pages will be cached
for the current user's session, but are freshed once the user logs
out/original page is updated. Its not true caching in that the browser will
still ask the server if it has changed, but at least it won't have to send
the whole file down each time.
Seems that the thread has moved on now though. If I understood correctly you
have turned off all caching, yet the pages are still cached. I agree with
the others - try using some tools to sniff the actual network traffic. I
find fiddler very useful for this kind of work
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Application not logging out properly
Posted by chris derham <ch...@derham.me.uk>.
>> Then they're going to be available in the browser cache until the
>> browser chooses to discard them. You can't have it both ways.
>
>The OP could set expires headers that are relatively short-lived. That
>way, the client /should/ request a fresh page after, say, 30 minutes
>or whatever the session timeout is set to.
>
>But Martin, I agree with Chuck: you can't have it both ways.
I was going to suggest that you could use the ETag to create tags composed
of the last edit time and the session-id. That way the pages will be cached
for the current user's session, but are freshed once the user logs
out/original page is updated. Its not true caching in that the browser will
still ask the server if it has changed, but at least it won't have to send
the whole file down each time.
Seems that the thread has moved on now though. If I understood correctly you
have turned off all caching, yet the pages are still cached. I agree with
the others - try using some tools to sniff the actual network traffic. I
find fiddler very useful for this kind of work
Chris
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Not HTTPS but it worth me checking as you advise.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 12 Oct 2011 23 16
To: Tomcat Users List
Subject: RE: Application not logging out properly
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Application not logging out properly
> But I can see these pages visited in the session just invalidated by
> using the browser's back button after logging out.
The session state is completely irrelevant - the browser knows nothing about it. Again, it looks like the browser is caching the pages.
> By other Tomcat applications, I mean other applications which have the
> same arrangements and run under 6.0.26. But when I log out from one of
> these, I can't see pages just visited.
Sniff the network traffic or use one of the plugins Chris suggested to see what's different about the pages that aren't getting cached. (Using HTTPS, perhaps?)
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Application not logging out properly
> But I can see these pages visited in the session just invalidated
> by using the browser's back button after logging out.
The session state is completely irrelevant - the browser knows nothing about it. Again, it looks like the browser is caching the pages.
> By other Tomcat applications, I mean other applications which have
> the same arrangements and run under 6.0.26. But when I log out from
> one of these, I can't see pages just visited.
Sniff the network traffic or use one of the plugins Chris suggested to see what's different about the pages that aren't getting cached. (Using HTTPS, perhaps?)
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
But I can see these pages visited in the session just invalidated by using the browser's back button after logging out.
By other Tomcat applications, I mean other applications which have the same arrangements and run under 6.0.26. But when I log out from one of these, I can't see pages just visited.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 12 Oct 2011 23 01
To: Tomcat Users List
Subject: Re: Application not logging out properly
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/12/2011 5:58 PM, Martin O'Shea wrote:
> This is true of the current application, but also true of the other
> Tomcat applications I have.
>
> But the others don't seem to have this problem.
Which others?
> I know the sessions are invalidating because if I try to do something
> on one of the pages visited in the session, the login page appears
> automatically.
You're getting all you can get out of the server-side of this equation. You'll either have to use "expires" or other cache-control headers or just trust your clients not to browse their caches.
> Using a filter to prevent caching does seem a sledgehammer approach.
> But I have set one up to do just that but I would prefer another
> solution.
I can't think of one.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6WDgQACgkQ9CaO5/Lv0PCVzgCeIl7RJkNgbXxNGFj7uJ671fXS
MQIAn2SH+d1iK3DumlNIOmMYAWsIF4f4
=MXp5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Application not logging out properly
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/12/2011 5:58 PM, Martin O'Shea wrote:
> This is true of the current application, but also true of the other
> Tomcat applications I have.
>
> But the others don't seem to have this problem.
Which others?
> I know the sessions are invalidating because if I try to do
> something on one of the pages visited in the session, the login
> page appears automatically.
You're getting all you can get out of the server-side of this
equation. You'll either have to use "expires" or other cache-control
headers or just trust your clients not to browse their caches.
> Using a filter to prevent caching does seem a sledgehammer
> approach. But I have set one up to do just that but I would prefer
> another solution.
I can't think of one.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6WDgQACgkQ9CaO5/Lv0PCVzgCeIl7RJkNgbXxNGFj7uJ671fXS
MQIAn2SH+d1iK3DumlNIOmMYAWsIF4f4
=MXp5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
This is true of the current application, but also true of the other Tomcat
applications I have.
But the others don't seem to have this problem. I know the sessions are
invalidating because if I try to do something on one of the pages visited in
the session, the login page appears automatically.
Using a filter to prevent caching does seem a sledgehammer approach. But I
have set one up to do just that but I would prefer another solution.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 12 Oct 2011 22 31
To: Tomcat Users List
Subject: RE: Application not logging out properly
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Application not logging out properly
> I would rather avoid forcing the browser to reload each page via the
> appropriate headers.
Then they're going to be available in the browser cache until the browser
chooses to discard them. You can't have it both ways.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Application not logging out properly
> I would rather avoid forcing the browser to reload each
> page via the appropriate headers.
Then they're going to be available in the browser cache until the browser chooses to discard them. You can't have it both ways.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
I would rather avoid forcing the browser to reload each page via the
appropriate headers.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 12 Oct 2011 22 18
To: Tomcat Users List
Subject: RE: Application not logging out properly
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: Application not logging out properly
> upon logout, I find I am able to browse back through some of the pages
> visited in the session.
Are you sure it's not the browser simply displaying previously cached pages?
If so, then have your webapp (or a filter) set the appropriate no-caching
headers.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: Application not logging out properly
> upon logout, I find I am able to browse back through some
> of the pages visited in the session.
Are you sure it's not the browser simply displaying previously cached pages? If so, then have your webapp (or a filter) set the appropriate no-caching headers.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Application not logging out properly
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
I'm using form based authentication as follows:
<h2 style = "text-align: left"><a name = "login">Login</a></h2>
<form method = "POST" action='<%=
response.encodeURL("j_security_check") %>'>
<table border="0">
<tr>
<td align = "right">Name:</td>
<td align = "left"><input type="text"
name="j_username"></td>
</tr>
<tr>
<td align = "right">Password:</td>
<td align = "left"><input type="password"
name="j_password"></td>
</tr>
<tr>
<td align = "right"><input class = "button"
type="submit" value="Log in"></td>
<td align = "left"><input class = "button"
type="reset" value = "Clear"></td>
</tr>
</table>
</form>
And the code in web.xml is as follows:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>ADMIN</role-name>
</security-role>
I also have MD5 digest specified in context.xml.
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: 12 Oct 2011 22 19
To: Tomcat Users List
Subject: Re: Application not logging out properly
Martin O'Shea wrote:
> Hello
>
>
>
> I'm using Apache Tomcat 6.0.26 for an application where the majority
> of the content is hidden behind a page requiring authenticated login.
> This appears to work fine but upon logout, I find I am able to browse
> back through some of the pages visited in the session.
>
What authentication type (scheme) are you using ?
HTTP Basic, form-based, .. ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Application not logging out properly
Posted by André Warnier <aw...@ice-sa.com>.
Martin O'Shea wrote:
> Hello
>
>
>
> I'm using Apache Tomcat 6.0.26 for an application where the majority of the
> content is hidden behind a page requiring authenticated login. This appears
> to work fine but upon logout, I find I am able to browse back through some
> of the pages visited in the session.
>
What authentication type (scheme) are you using ?
HTTP Basic, form-based, .. ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org