当前位置: 文江博客话题详情

如何正确地使JSP会话失效?

发布于 2024-09-26 13:16:40 字数 1048 浏览 0 评论 0原文

所以问题就在这里。当用户退出我的网站时,他们仍然可以点击后退按钮并继续使用该网站。为了跟踪用户是否登录,我创建了一个会话属性“isActive”。该属性在用户登录时设置为 true,并在注销时会话失效之前被(冗余)删除。另外,我在每个页面上检查该属性是否存在。

我还指定页面不应缓存在其头标记中。

尽管如此,用户仍然能够返回浏览器,并继续使用该网站,就像他们从未注销一样。

知道如何解决这个问题吗?

下面是代码:

登录 Servlet:

...
session.setAttribute("isActive", true);
//Redirect to home page.

检查登录 JSP:

<c:if test='${empty sessionScope.isActive || sessionScope.isActive != true}'>
     <c:redirect url="/index.jsp?message=Session Timed Out."/>
</c:if>

注销 Servlet:

request.getSession().removeAttribute("isActive");
request.getSession().invalidate();
response.sendRedirect("index.jsp");

内部标题标签:

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="Sat, 01 Dec 2001 00:00:00 GMT">

谢谢

原文

So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a session attribute "isActive". The attribute is set to true when the user logs in, and is (redundantly) removed right before the session is invalidated at logout. Also on every page I check if the attribute is present.

I also specify that pages should not be cached in their head tags.

Despite this users are still able to hit back on the browser, and continue to use the site as if they never logged off.

Any idea on how to fix this?

Here is the code:

Login Servlet:

...
session.setAttribute("isActive", true);
//Redirect to home page.

Check Logged In JSP:

<c:if test='${empty sessionScope.isActive || sessionScope.isActive != true}'>
     <c:redirect url="/index.jsp?message=Session Timed Out."/>
</c:if>

Logout Servlet:

request.getSession().removeAttribute("isActive");
request.getSession().invalidate();
response.sendRedirect("index.jsp");

Inside Head Tag:

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="Sat, 01 Dec 2001 00:00:00 GMT">

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

傲世九天 2024-10-03 13:16:40

元标记还不够。您需要将它们添加为完整的响应标头。网络浏览器依赖于它们。 Filter 对此很有帮助。此外,Cache-Control 标头不完整(在 Firefox 等中无法按预期工作)。

FilterdoFilter() 方法中实现此功能,该方法映射到 *.jsp< 的 url-pattern 上/code> (如果你想覆盖所有 JSP 页面)。

HttpServletResponse res = (HttpServletResponse) response;
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
res.setHeader("Pragma", "no-cache"); // HTTP 1.0.
res.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(request, response);

这样,网络浏览器将被迫在服务器上发出真正的请求,而不是显示浏览器缓存中的页面。另外,您应该使用 Filter 来检查登录用户是否存在,而不是 JSP/JSTL。

相关问题:

The meta tags are not sufficient. You need to add them as fullworthy response headers. The webbrowser relies on them. A Filter is helpful in this. Also, the Cache-Control header is incomplete (won't work as expected in Firefox, among others).

Implement this in the doFilter() method of a Filter which is mapped on an url-pattern of for example *.jsp (if you want to cover all JSP pages).

HttpServletResponse res = (HttpServletResponse) response;
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
res.setHeader("Pragma", "no-cache"); // HTTP 1.0.
res.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(request, response);

This way the webbrowser will be forced to fire a real request on the server rather than displaying the page from the browser cache. Also, you should rather be using a Filter to check the presence of the logged-in user, not JSP/JSTL.

Related questions:

回复 原文
吹梦到西洲 2024-10-03 13:16:40

您不应该检查会话在目标页面上是否仍处于活动状态,最好使用过滤器进行检查。

如果在过滤器中, request.getSession().getAttribute("isActive") 返回某些内容,则用户仍然处于登录状态,您只需链接即可;否则您将重定向到登录页面。

例如:

public class ActiveFilter implements Filter {
   public void init(FilterConfig filterConfig) 
   }
   public void destroy() {
   }
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
      HttpServletRequest req = (HttpServletRequest) request;
      HttpServletResponse res = (HttpServletResponse) response;
      if (req.getSession().getAttribute("isActive") == null){
          res.sendRedirect("/index.jsp");
      }else{
          chain.doFilter(request, response);
      }
   }
}

资源:

You shouldn't check if the session is still active on your destination page, it's better to check it with a Filter.

If in the filter, request.getSession().getAttribute("isActive") returns something, then the user is still logged, and you simply chain; else you redirect on the login page.

For example :

public class ActiveFilter implements Filter {
   public void init(FilterConfig filterConfig) 
   }
   public void destroy() {
   }
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
      HttpServletRequest req = (HttpServletRequest) request;
      HttpServletResponse res = (HttpServletResponse) response;
      if (req.getSession().getAttribute("isActive") == null){
          res.sendRedirect("/index.jsp");
      }else{
          chain.doFilter(request, response);
      }
   }
}

Resources :

回复 原文
只涨不跌 2024-10-03 13:16:40

我的所有 JSP 都有无缓存标头(通过 @include 指令)。我在应用程序的根目录中有一个 logout.jsp ,其中包含以下几行:

HttpSession sessIfAny = request.getSession(false);
if (sessIfAny != null) sessIfAny.invalidate();

这可以防止创建不必要的会话。

web.xml 需要使 logout.jsp 免于身份验证:

<!-- Resources excepted from authentication -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>excepted</web-resource-name>
        <url-pattern>/logout.jsp</url-pattern>
        <url-pattern>/favicon.ico</url-pattern>
        <!-- ... other resources -->
    </web-resource-collection>
    <!-- no auth-constraint -->
</security-constraint>

这可以防止显示登录页面以对过期会话进行注销。

All my JSP's have no-cache headers (via @include directives). I have a logout.jsp in the root of the app with the following lines:

HttpSession sessIfAny = request.getSession(false);
if (sessIfAny != null) sessIfAny.invalidate();

This prevents creating unnecessary sessions.

The web.xml needs to exempt logout.jsp from authentication:

<!-- Resources excepted from authentication -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>excepted</web-resource-name>
        <url-pattern>/logout.jsp</url-pattern>
        <url-pattern>/favicon.ico</url-pattern>
        <!-- ... other resources -->
    </web-resource-collection>
    <!-- no auth-constraint -->
</security-constraint>

This prevents a login page being shown to do a logout on an expired session.

回复 原文
~没有更多了~

关于作者

面如桃花

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lioqio

文章 0 评论 0

Single

文章 0 评论 0

禾厶谷欠

文章 0 评论 0

alipaysp_2zg8elfGgC

文章 0 评论 0

qq_N6d4X7

文章 0 评论 0

放低过去

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文