Menu
I have three simple HttpServlet classes in my JSP project, "LoginServlet", "LogoutServlet" and "ProfileServlet".
The last two servlets are as below that I reckon are problematic.
@SuppressWarnings("serial")
public class LogoutServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out=response.getWriter();
HttpSession session=request.getSession(false);
session.invalidate();
request.getRequestDispatcher("link.jsp").include(request, response);
out.print("You are successfully logged out!");
out.close();
}
}
And
@SuppressWarnings("serial")
public class ProfileServlet extends HttpServlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
request.getRequestDispatcher("link.jsp").include(request, response);
HttpSession session = request.getSession(false);
if (session != null) {
String name = (String) session.getAttribute("name");
out.print("Hello, " + name + " Welcome to Profile");
} else {
out.print("Please login first");
request.getRequestDispatcher("login.html").include(request,
response);
}
out.close();
}
}
And the link.jsp:
<% HttpSession nsession = request.getSession(false);
if(nsession == null) {
%>
<a href="login.html">Login</a>
<%
}
else {
%>
<a href="LogoutServlet">Logout</a>
<%
}
%>
<a href="ProfileServlet">Profile</a>
<hr/>
The problem is while user is logged in, when the "Logout" link is clicked and "LogoutServlet" is called, session is not correctly invalidated and ProfileServlet still prints out
"Hello, null Welcome to Profile"
instead of redirecting to the "login.html" page because the session is still NOT null. As a result of it, "Login" link is not shown on the "link.jsp" page. This stops the user from being able to attempt to log in again.
EDIT: To make the problem clarified, I made a new html page and updated the servlets to do
request.getRequestDispatcher("link.html").include(request, response);
And the "link.html".
<a href="login.html">Login</a>
<a href="LogoutServlet">Logout</a>
<a href="ProfileServlet">Profile</a>
<hr/>
Interestingly this does what I wanted! I guess the problem is
request.getRequestDispatcher("link.jsp").include(request, response);
But I am unable to explain why...
574
To invalidate a session manually, call the following method: session. invalidate();
You can call removeAttribute("key") to discard the value associated with the specified key. This is the most common approach. Delete the whole session (in the current Web application). You can call invalidate to discard an entire session.
You will never get above session object as null because request. getSession() will always give you session object, so you can use request. getSession(false) code to get session and if session does not exist, it will return null.
Session invalidation means session destroying.So if session is destroyed,it indicates that server cant identify the client which has visited in previous.So now it creates a new session id for that client.
In JSP new session is created by default, if non present, so you will always get non null session. You can disable that by adding following page directive to your page:
<%@ page session="false" %>
For more info check the following Why set a JSP page session = “false” directive?
62
When it calls invalidate() it removes that session from server context and all associated data with that session,
When you make new request it creates new one and so you see null as the data because new session doesn't have data in it
You should check for a logical attribute inside session to validate it user is logged in or not, instead of session itself
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
