By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,034 Members | 819 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,034 IT Pros & Developers. It's quick & easy.

How to invalidate a session?

P: n/a
I am using invalidate method from the httpSesion class , but when I
press the back button in the internet navigator, the session still is
valid.
Jul 17 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
"gargarensis" <ga*********@terra.es> wrote in message
news:40**************************@posting.google.c om...
I am using invalidate method from the httpSesion class , but when I
press the back button in the internet navigator, the session still is
valid.

HttpSession is an interface, not a class. What makes you think the session
is still valid?
Jul 17 '05 #2

P: n/a

"gargarensis" <ga*********@terra.es> wrote in message
news:40**************************@posting.google.c om...
I am using invalidate method from the httpSesion class , but when I
press the back button in the internet navigator, the session still is
valid.


Invalidating a session is server-side logic, the back-button is purely
client-side logic. You might set the appropriate HTTP headers when you send
pages to the browser to tell it it should never show cached pages but
instead always send a new request. Those headers can be a combination of:

Pragma=no-cache (for older browsers)
Cache-control=no-store (a stricter version of no-cache)
Expires=0

Setting these will prevent any non-deaf browser from showing cached content.
That way an invalidated session can be made visible to the user.

Regards,

Silvio Bierman
Jul 17 '05 #3

P: n/a
"Ryan Stewart" <zz********@gSPAMo.com> wrote in message news:<Ea********************@texas.net>...
"gargarensis" <ga*********@terra.es> wrote in message
news:40**************************@posting.google.c om...
I am using invalidate method from the httpSesion class , but when I
press the back button in the internet navigator, the session still is
valid.

HttpSession is an interface, not a class. What makes you think the session
is still valid?


Thanks.

I can access to atrributes for the session after invalidating it.
I am debuging in the "back" request in my servlet.
Jul 17 '05 #4

P: n/a
Thanks.

I can see this, by debuging in the servlet. In first request I delete
all attributes of a session and invalidate it. When I press back, in
next request, I can access to the attributes of session. I try to
implement a web page for disconnection to delete the user data
(password, credit card), but if the user presses back after the
disconnection page it recovers the data.
"Silvio Bierman" <sb******@idfix.nl> wrote in message news:<40***********************@news.xs4all.nl>...
"gargarensis" <ga*********@terra.es> wrote in message
news:40**************************@posting.google.c om...
I am using invalidate method from the httpSesion class , but when I
press the back button in the internet navigator, the session still is
valid.


Invalidating a session is server-side logic, the back-button is purely
client-side logic. You might set the appropriate HTTP headers when you send
pages to the browser to tell it it should never show cached pages but
instead always send a new request. Those headers can be a combination of:

Pragma=no-cache (for older browsers)
Cache-control=no-store (a stricter version of no-cache)
Expires=0

Setting these will prevent any non-deaf browser from showing cached content.
That way an invalidated session can be made visible to the user.

Regards,

Silvio Bierman

Jul 17 '05 #5

P: n/a
"gargarensis" <ga*********@terra.es> wrote in message
news:40**************************@posting.google.c om...
"Ryan Stewart" <zz********@gSPAMo.com> wrote in message

news:<Ea********************@texas.net>...
"gargarensis" <ga*********@terra.es> wrote in message
news:40**************************@posting.google.c om...
I am using invalidate method from the httpSesion class , but when I
press the back button in the internet navigator, the session still is
valid.

HttpSession is an interface, not a class. What makes you think the session is still valid?


Thanks.

I can access to atrributes for the session after invalidating it.
I am debuging in the "back" request in my servlet.


Maybe you should read Silvio's reply a little more closely. If you truly
call session.invalidate(), then the session is gone. Pressing the back
button in your browser is simply pulling the page from your local cache, not
making a new request.
Jul 17 '05 #6

P: n/a
ga*********@terra.es (gargarensis) wrote in message news:<40**************************@posting.google. com>...
Thanks.

I can see this, by debuging in the servlet. In first request I delete
all attributes of a session and invalidate it. When I press back, in
next request, I can access to the attributes of session. I try to
implement a web page for disconnection to delete the user data
(password, credit card), but if the user presses back after the
disconnection page it recovers the data.


If you call the invalidate() method, then the session is gone.

However, on the next call the server will create a new, empty session
whose attributes you can access.

Is it possible that on pressing the back button, you re-submit a form
that sets the attributes in the new session?

Erik
Jul 17 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.