JSP Servlet session invalidate() does not make session null
I have three simple HttpServlet classes in my JSP project, "LoginServlet", "LogoutServlet" and "ProfileServlet".
- LoginServlet: log in user by setting "name" attribute to session
- LogoutServlet: log out user and invalidate session
- ProfileServlet: display user welcome info if user has logged in
The last two servlets are as below that I reckon are problematic.
@SuppressWarnings("serial")
public class LogoutServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out=response.getWriter();
HttpSession session=request.getSession(false);
session.invalidate();
request.getRequestDispatcher("link.jsp").include(request, response);
out.print("You are successfully logged out!");
out.close();
}
}
And
@SuppressWarnings("serial")
public class ProfileServlet extends HttpServlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
request.getRequestDispatcher("link.jsp").include(request, response);
HttpSession session = request.getSession(false);
if (session != null) {
String name = (String) session.getAttribute("name");
out.print("Hello, " + name + " Welcome to Profile");
} else {
out.print("Please login first");
request.getRequestDispatcher("login.html").include(request,
response);
}
out.close();
}
}
And the link.jsp:
<% HttpSession nsession = request.getSession(false);
if(nsession == null) {
%>
<a href="login.html">Login</a>
<%
}
else {
%>
<a href="LogoutServlet">Logout</a>
<%
}
%>
<a href="ProfileServlet">Profile</a>
<hr/>
The problem is while user is logged in, when the "Logout" link is clicked and "LogoutServlet" is called, session is not correctly invalidated and ProfileServlet still prints out
"Hello, null Welcome to Profile"
instead of redirecting to the "login.html" page because the session is still NOT null. As a result of it, "Login" link is not shown on the "link.jsp" page. This stops the user from being able to attempt to log in again.
EDIT: To make the problem clarified, I made a new html page and updated the servlets to do
request.getRequestDispatcher("link.html").include(request, response);
And the "link.html".
<a href="login.html">Login</a>
<a href="LogoutServlet">Logout</a>
<a href="ProfileServlet">Profile</a>
<hr/>
Interestingly this does what I wanted! I guess the problem is
request.getRequestDispatcher("link.jsp").include(request, response);
But I am unable to explain why...
Answer
In JSP new session is created by default, if non present, so you will always get non null session. You can disable that by adding following page directive to your page:
<%@ page session="false" %>
For more info check the following Why set a JSP page session = “false” directive?