当前位置: 文江博客话题详情

如何区分注销和会话过期?

发布于 2024-09-10 21:30:51 字数 149 浏览 3 评论 0原文

情况 1:注销:一旦我们注销,如果尝试访问前一个,它必须自动重定向到 login.jsp

情况 2:会话过期:如果用户仍然登录时会话过期,它必须尝试自动重定向到 sessionExpired访问上一页时的.jsp。

如何区分?我当前在注销时使会话无效。

原文

Case 1: Log out : Once we log out, if one tries to access previous, it must automatically redirect to login.jsp

Case 2: Session expired : If session expires when user is still logged in, it must try to automatically redirect to sessionExpired.jsp when previous page is accessed.

How to differentiate ? I am currently invalidating session when logging out.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

您的好友蓝忘机已上羡 2024-09-17 21:30:51

登录时,设置一个具有较长有效期(> 24 小时)的 cookie。通过将 maxage 设置为 0,在注销时删除此 cookie。

您可以检查任何未登录的用户(即无效的会话 ID)。
如果cookie不存在,则将他重定向到login.jsp

如果cookie存在,则意味着他的会话已过期,因此将他重定向到session-expired.jsp

On login, set a cookie with a long expiry (> 24 hours). Remove this cookie at logout time by setting the maxage to 0.

You can have check for any non-logged in user (i.e. invalid session id).
If the cookie does not exist, redirect him to login.jsp

If the cookie exists, it means his session expired so redirect him to session-expired.jsp

回复 原文
她说她爱他 2024-09-17 21:30:51

您可以通过检查是否 HttpServletRequest#getRequestedSessionId() 不会返回 null (这意味着客户端已发送会话 cookie,因此假定会话仍然有效)和 HttpServletRequest #isRequestedSessionIdValid() 返回false(这意味着会话在服务器端已过期)。

简而言之:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);

    if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
        response.sendRedirect(request.getContextPath() + "/sessionexpired.jsp");
    } else if (session == null || session.getAttribute("user") == null) {
        response.sendRedirect(request.getContextPath() + "/login.jsp");
    } else {
        chain.doFilter(request, response);
    }
}

无需再为额外的饼干而烦恼。将此Filter映射到覆盖受保护页面的url-pattern上(从而排除sessionexpired和登录页面!)。

不要忘记在受保护的页面上禁用浏览器的页面缓存,否则当您返回浏览器历史记录时,网络浏览器将从缓存中加载它们,而不是向服务器发送新请求。您可以通过在调用 Chain#doFilter() 之前在同一过滤器中执行以下操作来实现此目的。

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

You can test expired sessions by checking if HttpServletRequest#getRequestedSessionId() doesn't return null (which means that the client has sent a session cookie and thus assumes that the session is still valid) and HttpServletRequest#isRequestedSessionIdValid() returns false (which means that the session has been expired at the server side).

In a nut:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);

    if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
        response.sendRedirect(request.getContextPath() + "/sessionexpired.jsp");
    } else if (session == null || session.getAttribute("user") == null) {
        response.sendRedirect(request.getContextPath() + "/login.jsp");
    } else {
        chain.doFilter(request, response);
    }
}

No need to hassle with extra cookies. Map this Filter on an url-pattern covering the protected pages (and thus excluding the sessionexpired and login pages!).

Don't forget to disable page caching by the browser on the protected pages, otherwise the webbrowser will load them from the cache when you're going back in the browser history, instead of sending a new request to the server. You can achieve this by doing the following in the same filter, before Chain#doFilter() call.

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
回复 原文
单身情人 2024-09-17 21:30:51

如果是我,我会在注销时清除会话并在其中创建一个名为 HasLoggedOut 的布尔值,然后将其设置为 true。然后,如果此布尔值存在于会话中,您就知道他们已注销,如果不存在,则会话已超时或用户根本未登录。

由于您仍然无法区分超时和未登录,我通常会决定,如果他们请求经过身份验证的页面,我只会将它们发送到会话超时页面,该页面也兼作登录页面,上面写着

“哎呀,我们不”不知道您是谁,您的会话已超时或您尚未登录,请在下面登录”

这适用于这两种情况

If it were me I would clear the session on log out and create a bool in it called HasLoggedOut then set this to true. Then if this bool exists in session you know they logged out, if it doesn't then the session has either timed out or the user never logged in at all.

As you still cant differentiate between timed out and not logged in I normally make the decision that if they request an authenticated page I will just send them to session timeout page which also doubles as a login page that says something like

"Oops, we don't know who you are, either your session has timed out or you have not yet logged in please login below"

This then caters for both scenarios

回复 原文
~没有更多了~

关于作者

So要识趣

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文