How to properly invalidate JSP session?

java security jsp session invalidation
Morglor picture Morglor · Oct 11, 2010 · Viewed 24.4k times · Source

So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a session attribute "isActive". The attribute is set to true when the user logs in, and is (redundantly) removed right before the session is invalidated at logout. Also on every page I check if the attribute is present.

I also specify that pages should not be cached in their head tags.

Despite this users are still able to hit back on the browser, and continue to use the site as if they never logged off.

Any idea on how to fix this?

Here is the code:

Login Servlet:

...
session.setAttribute("isActive", true);
//Redirect to home page.

Check Logged In JSP:

<c:if test='${empty sessionScope.isActive || sessionScope.isActive != true}'>
     <c:redirect url="/index.jsp?message=Session Timed Out."/>
</c:if>

Logout Servlet:

request.getSession().removeAttribute("isActive");
request.getSession().invalidate();
response.sendRedirect("index.jsp");

Inside Head Tag:

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="Sat, 01 Dec 2001 00:00:00 GMT">

Thanks

Answer

BalusC picture BalusC · Oct 11, 2010

The meta tags are not sufficient. You need to add them as fullworthy response headers. The webbrowser relies on them. A Filter is helpful in this. Also, the Cache-Control header is incomplete (won't work as expected in Firefox, among others).

Implement this in the doFilter() method of a Filter which is mapped on an url-pattern of for example *.jsp (if you want to cover all JSP pages).

HttpServletResponse res = (HttpServletResponse) response;
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
res.setHeader("Pragma", "no-cache"); // HTTP 1.0.
res.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(request, response);

This way the webbrowser will be forced to fire a real request on the server rather than displaying the page from the browser cache. Also, you should rather be using a Filter to check the presence of the logged-in user, not JSP/JSTL.

Related questions:

Related questions

XSS prevention in JSP/Servlet web application

How can I prevent XSS attacks in a JSP/Servlet web application?

Read More
Client Cross Frame Scripting Attack resolution

We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack. This is …

Read More
Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More