How to invalidate

hi all,
i have written a basic authentication code it works with a bug,
my bug is if i copy my url( when in login) and paste it after i logout , iam able to see my session page,my session has already expired but how do iam able to see that.
i invalidated my session using session.invalidate() in my servlet.
how could i solve this problem

I've seen containers where session.invalidate() is broken and you're SOL... I saw one app running with this limitation, it told you to close your browser when you went to logout.
Otherwise, your problem could be that your browser is caching the page.. Set some response headers and that won't happen anymore. Search the forums to see which ones to set.

Similar Messages

  • How to invalidate a session based on the session id

    How to invalidate a session based on the session id

    You have to write your own support for this.
    It used to be in the API, but was deprecated as a security hole.
    The best way to do it is implement a session listener (javax.servlet.http.HttpSessionListener) which notifies you when sessions are created/destroyed.
    You can then keep a map of sessions in your own code, indexed by session Id, and access any/all of them to invalidate as you choose.

  • How to invalidate session ids

    dear all ,
    Any knows how to invalidate the session ids .
    Ex . Server maintains maintains many client session ids
    I want invalidate those client session ids ,,,'

    There are several cases when a session is invalidated:
    1. when the time specified in web.xml elapsed (session-timeout tag) - this is specified for the entire server
    2. when using session.setMaxInactiveInterval. specs:
    "Specifies the time, in seconds, between client requests before the servlet container will invalidate this session."
    3. when you call session.invalidate() specs: " Invalidates this session then unbinds any objects bound to it." With this, the session is immediately invalidated.

  • How to invalidate the IPortalComponent Session

    Hi,
    I have written one portal component for customizing the session expiry. In this component, based on certain idle time we want to redirect to another customize page saying that session is timed out. Redirection is happening but session is still alive. I want to invalidate the session.
    Can somebody tell me that <b>how can I invalidte the IPortalComponent session</b>. I know how to invalidate the http session but that does not solve my problem.
    Any suggestion?
    Thanks in advance.
    Manish

    Hi,
    By looking at the code of the IPortalComponentSession one can see that it basically stores all values in the httpsession with a certain prefix. Therefore, shouldn't it be sufficient to invalidate the httpsession ? (if this is not the case could you describe the problem closer)
    Note that if there is not component session, the IPortalComponent request creates one the first time it is accessed.
        public IPortalComponentSession getComponentSession()
            if(mm_componentSession == null)
                mm_componentSession = new PortalComponentSession(this);
            return mm_componentSession;
    Dagfinn

  • ANN: Learn how to invalidate cache and handle exceptions

    http://otn.oracle.com/sample_code/tech/java/codesnippet/webcache/index.html
    These set of New OracleAS Web Cache How-to's illustrates how to invalidate cached content using esi:invalidate and PL/SQL invalidation tags. Also, learn how to esi exceptions using esi:try, esi:accept, and esi:except tags.
    Cheers,
    -Srikanth

    You may use any of the two ways:
    1. Use the interface. Go to Navigator, and go to that particular page where that portlet is, and then edit it. Go to Properties/Cache. See at the very bottom of the page for how to clear cache for that page.
    2. See details of the api function for cache invalidation.
    wwpro_api_invalidation.execute_cache_invalidation;

  • How to invalidate the client part of a HTTPS Session with client auth

    Hi to everybody here,
    I'm having an issue with HTTPS and client authentication related with how SSLHandshake works and the behavior of the client browser. I hope you can help.
    I'm setting up a web application that ask for a valid session in order to allow access to the application. If the user has no valid session, he's redirected to the login form, and if the auth process is ok, the user gets a session and is redirected again to the secured pages.
    We are in the way to create a new login service with client certificates, so the user identificates himself with a certificate valid on the application server.
    We have an application server with a secure listener in port 8443. It's configured to request client certificates so we can access to the certificate and validate it and create a session for the user automatically. The user just type his pin code in the browser, no passwords at all. This process is working and sessions are created. The problem comes up when we are trying to log the user out.
    We invalidate the session using a logout.jsp, but if the user goes to the secured pages again, we have observed that the authentication takes place automatically and the user can see the secured pages, so he thinks the logout.jsp doesn't work.
    My questions are: can we access to delete or modify the client browser ssl part in order to reset the https connection established against our application server? Are there any other ways to avoid this behavior?
    Thanks in advance.
    Miss.

    An enduser presents a certificate from a CAC for authentication to our website.
    They pick the Cert off the inserted CAC and submit it. Get logged into the application successfully.
    The user removes the card form the reader and the SSO session times out.
    In the same browser the user clicks log in with CAC and is not prompted for the cert this time the browser just goes ahead and presents the cached cert even though the card is no longer in the reader. The user logs in successfully.
    The desired behavior would be to prompt the user for for a cert again obviously.
    I am wondering how to turn this off as well.

  • How to invalidate a session explicitly when a browser is closed

    hi,
    i am keeping the information of a logged user when he logs succesfully in a session. the session time is maintained for half an hour.
    i am also storing his information in an application object.
    when a user logs out i am invalidating the session and his information is removed from the application object .
    when a person is logged and another person at other place stries to log in with the same username and password, i am making use of this application object to check whether the anyone is looged in with that user id or not. if the id aleady exists in the application object i will not allow the second person to log in and i will provide with a relavent mesasge " already logged in with this ID".
    But the problem is arising when a person loogs in and closes the browser (wth out looging in).
    in this case the session is not invalidated and his information remains in the session and application object.
    when he tries to loog in immediatly after closing the browser, the same checking is done for the duplicate log in and a message is displayed to him saying that " already logged in with this ID".
    he has to wait till the session expires (i,e till 30 min) and then log in
    As this creates problem, i want to invalidate the session the time when the browser is closed.
    i tried with the onUnLoad() methos in javascript, but that method is not only called when closing the browser but also when a link is clicked ot when refreshed the page.
    i am trying with Cookies but i am not gettin ga good approach as how to go forward with this problem.
    Any body who can solve this please....reply soon or mail me
    Its very Urgent................
    Thanks
    sowjanya

    2.Any business critical web site should not allow
    multiple users to
    work under same account at same time.Not true. My customer's web site is "business critical" and they explicitly wanted to be able to login multiple times with the same ID. At least in this scenario we completely circumvent your problem.
    The Javascript solution will never be 100%. What happens if their internet connection drops and doesn't come back? Suppose their OS crashes? What if their power goes out? What if IE crashes? What if JS is turned off? What if the user just walks away and leaves the browser open forever?
    You may be trying to get too much control, which on the web always leads to failure. Maybe a better alternative would be to warn the user that is logging in the second time that there is an outstanding login and that the previous user will be logged out if he proceeds. Then, keep a record of the event in case someone is messing with other accounts (although, since he obviously knows the username and password it is probably a user concern.)

  • How to invalidate session in absence of activity

    hello ppl
    i hav a prob...i want to invalidate my session if no activity happens on my screen for a specified period...how do i
    chk the time and also how do i track my activity....
    i also need to display a prompt to the user informing of the time expiry and need a response from him
    can anybody help me out with this?????

    BalusC wrote:
    Hari.Rangarajan wrote:
    hello ppl
    i hav a prob...i want to invalidate my session if no activity happens on my screen for a specified period...how do i
    chk the time and also how do i track my activity....It happens automagically when the session times out according to the appserver's default setting (usually 30 minutes) or your setting in the web.xml as suggested before.
    i also need to display a prompt to the user informing of the time expiry and need a response from himHTTP disallows push, so forget about it. Best what you can do is to use Javascript's setTimeout() function in combination with HttpSession#getMaxInactiveInterval(). This way you can use Javascript to show some message in the page when the session is timed out.I'm afraid that wass what was explained under the URL(Earlier Post) which was what metioned in my earlier reply.
    Why are repeating the same solution out here ??

  • How to invalidate old sessions when new user access appl  on same machine

    hi all,
    I am using Mozilla browser to access my web application.User one access my application using his credentials .but i left that browser open.after that I am opening the another Mozilla window and accessing my application using different credentials ex:user2 credentials .user 2 also can access my application.but when i open the first browser ..am automatically getting second user session.how can we avoid this problem.
    Application is using session identifier(jSessionID) as the URL parameter for session management.
    is it possible to invalidate the old session when new user access on same machine.
    thanks,
    Vishnu

    VishnuReddy wrote:
    hi all,
    I am using Mozilla browser to access my web application.User one access my application using his credentials .but i left that browser open.after that I am opening the another Mozilla window and accessing my application using different credentials ex:user2 credentials .user 2 also can access my application.but when i open the first browser ..am automatically getting second user session.how can we avoid this problem.That shouldn't occur. Either you explained it the wrong way (or I interpreted it the wrong way), or there's huge bug in your login/logout logic. After opening another window inside the same session, you should still be logged in as the first user.

  • How to invalidate session when i browse another url with out closing browse

    Hi,
    How can i find when i type another url and browse to that site without closing the browser.when i left the site i have to invalidate the session.
    how can i recognise this event.
    thanks

    You might be able to do this by catching a javascript event, then you'd need to submit a request back to the server before any session invalidation could occur. Basically, the server never know when the user is gone - that's why there's a timeout in sessions. The only other way is to have a logout button that the user clicks on to send the request to invalidate the session.

  • How to invalidate the browser cache?

    Hello,
    at the [AFP Wiki Site|http://wiki.sdn.sap.com/wiki/display/AFP/SAPPortal-AjaxFramework+Page] I found the document "Ajax Framework Page (AFB) - Features and Benefits", where it says
    ! There's no need to manually clear the browser cache when it is automatically
    invalidated
    Browser cache is automatically invalidated when
    The SAP NetWeaver Portal is updated with a new Support Package (SP)
    Content has changed
    User's roles are modified (adding/removing all or parts of roles)
    Does anbody know how to force this invalidation on client or server side? I mean, how does the client side cache know that the roles of a user changed?

    Hi Björn,
    you might know this but just to be sure.
    Backend side: HTTP > invalidate via visual admin, Navigation cache to be invalidated via system administration role, PCD cache  to be invalidated via system administration role
    Client side: to force the browser to pull the new content with IE > CtrlF5, FF > CtrlShift+R. The new HTTP content is pulled even if the server HTTP cache stores old content. In case of F5 the old content from the server HTPS cache will be pulled.
    See you next week!
    Best regards,
    Alex

  • How to invalidate the Context of View B From View A?

    Hello,
    I have to Views, A And B.
    Is it possible to invalidate the Context of View B From View A? If yes, than how?

    Hi,
    YOu cant...
    I think krishna was trying to say "can't".. spelling mistake i guess !
    Thats the reason why u have a component controller common to all the views within a component

  • How to invalidate session in JSP?

    I am new to web development.
    I have tried to invalidate a session with session.invalidate() but this does not seem to have invalidated the session. Any Help Please??

    please elaborate on your problem,
    session.invalidate(false) should work..false means, if there is a session, invalidate, if not..DONT create one...

  • How to invalidate session after some time

    How can I assign null value to session if user does not interact with the jsp page uptill M minutes. (Here M is variable, say after 5 minutes)

    use setMaxInactiveInterval(int) method of HttpSession class.

  • How to invalidate cache for a single item?

    I m trying to invalidate cache for a particular item in the repository.
    I dont want to invalidate the whole cache.
    Is there a way to do that through dyn/admin?
    TIA

    You can create own component in dyn/admin to do this.
    1. Create a global component with the following properties
    /atg/dynamo/service/GSAInvalidatorService
    [repository of item to invalidate]
    [itemDescriptor]
    [repositoryId]
    2. Create method invalidateCache
    getGSAInvalidatorService().invalidate(getRepository(), getItemDescriptor(), getRepositoryId());
    or, this should work as well
    ItemDescriptor someItemDescriptor;
    someItemDescriptor.removeItemFromCache(getRepositoryId());
    Maybe try them both to see what works for you.
    -Michael

Maybe you are looking for

  • How to create a specific  master detail

    hi, my problem is that i have 3 tables(tab1,tab2,tab3); tab1 is master of tab2. tab 2 is master of tab3. i would like to make a master detail page between tab1 and tab3 without using tab2. i am using jdev10.1.3.2 and ADF BC Swing. can you help me. 7r

  • Little help please regarding deleting files and folders...

    My wife has a MBP and has accumulated some old items in her documents folder that she'd like to delete. She has a USB mouse but the "right click" doesn't appear to work. She's running 10.4.11 and can't reveal the files in icon mode to facilitate drag

  • Managing Photos with new iPad Air???

    Hi, I was looking to get some insight from experienced users on the best way manage photos with the new iPad Air. Oviously, im not too familiar with the subject as, i do not use any iPad and i am trying to set one up for someone else who recently pur

  • EU tax system - Tax code automatic pick up

    Hi, Scenario: Customer belongs to DE (Germany), Customer will order to 1000 company code (Germany). The company code DE will create sales order with one plant, which is belongs to France company code. It is just like a intercompany third party billin

  • Product dependencies in oracle applications R12

    I want to know if licensing a product in oracle apps R12, in turn licenses additional dependent products or not? If so is there any way to find out this dependency matrix?