Invalidate Session

Similar Messages

• Is it possible to invalidate session when I click my browsers back button

  Hai
  I have a question.
  I am building a jsp page with multiple forms.As of now,
  no login system has been implemented.
  I need my session to time out when the client click on the back
  button on the browser to prevent data corruption.
  Is there a possible way to do this in Java/ Script
  I know the use of session.invalidate() but how to tie it up to the
  browser's back button
  A second problem
  If I use session.invalidate() on Tomcat 3.2
  I find that it is not invalidated.But this same function on tomcat 4
  doesn't have any problem
  Could anyone help on these issues
  Thanks

  You don't mean you want to invalidate session every time you move to a new page, do you? If you do, after implementation of login system the users will be asked for passwords at each page. If you don't, it's better to use headers for your response.
  response.setHeader("Cache-Control", "no-cache");
  response.setHeader("Expires", "-1");

• Invalidate session in BlazeDS

  Hi!
  I need to integrate BlazeDS security with an external security mechanism so I have implemented custom authentication as described in http://livedocs.adobe.com/blazeds/1/blazeds_devguide/help.html?content=services_security_1 .html. Now I need to invalidate user authentication on server upon certain circunstances. When this happens, I invalidate Session contained in Request parameter of invoke method of TomcatValve. This seems to work but I get a nasty "Duplicated Http Session" in Flex client telling that cookies where removed in server. Is there any clear way to invalidate current user login from BlazeDS?
  I've also tried invalidating FlexSession but then Flex clients hangs.
  Thank you very much.
  Daniel.

  Ummm - isn't that exactly what a session timeout specifies?
  ie how long should it stick around before it "expires" and should be invalidated?
  You don't need to call session.invalidate() - it will do that all by itself.

• Invalidate session with weblogic.Admin

  Hi,
  I tried to invalidate sessions using weblogic.Admin using the command: java weblogic.Admin -url t3://localhost:8013 -username system -password *** GET -pretty -type ServletSessionRuntime. The output was:
  MBeanName: "R3:Location=PIA,Name=B0lYRDnVqlw1VzPZO1XszSFlIASW017b!1102341400731,ServerRuntime=PIA,Type=ServletSessionRuntime"
  CachingDisabled: true
  MainAttribute: [email protected]/ps
  Name: B0lYRDnVqlw1VzPZO1XszSFlIASW017b!1102341400731
  ObjectName: B0lYRDnVqlw1VzPZO1XszSFlIASW017b!1102341400731
  Parent: PIA
  Registered: true
  TimeLastAccessed: 1102341410448
  Type: ServletSessionRuntime
  Then tried to invalidate it using:
  java weblogic.Admin -url t3://localhost:8013 -username system -password *** INVOKE -mbean "R3:Location=PIA,Name=B0lYRDnVqlw1VzPZO1XszSFlIASW017b!1102341400731,ServerRuntime=PIA,Type=ServletSessionRuntime" -method INVALIDATE
  ANd the error message: bash: !1102341400731: event not found
  Do you know how to handle this? Or any other way to invalidate session from weblogic.Admin?
  WLS 8.1 SP1
  Regards
  Tomi

  Hello,
  I have a system consisting of three different departments, each department has its own login page with different username and password.
  from the same browser, all three administrators can log in successfully, during there login, one session is created with different attributes for each of them, if any one administrator logs out, I invalidate the session, which logs out the other two administrators.
  Can I use session Id to log out on administrator while the other two can stay logs in?
  If I am using the wrong approach all together, can anyone suggest an alternative please?
  here is my code to create session:
  // if correct username and password entered then create session
  String financeAdminSess = adminUsername;
  session.setAttribute("financeAdminSess", adminUsername);                                        
  String redirectURL = "finance_admin_home.jsp";
  response.sendRedirect(redirectURL);
  and here is the code for loggin out:
  // get session
  String financeAdminSess=(String) session.getAttribute("financeAdminSess");
  // remove session
  session.removeAttribute("financeAdminSess<br />");
  // invalidate session
  session.invalidate();
  Any suggestion would be much appreciated.
  Thanks
  Shaxo

• Invalidate session with specific sessionId

  Hi there,
  Is it possible to invalidate session with specific sessionId?
  Thanks.

  Hello,
  I have a system consisting of three different departments, each department has its own login page with different username and password.
  from the same browser, all three administrators can log in successfully, during there login, one session is created with different attributes for each of them, if any one administrator logs out, I invalidate the session, which logs out the other two administrators.
  Can I use session Id to log out on administrator while the other two can stay logs in?
  If I am using the wrong approach all together, can anyone suggest an alternative please?
  here is my code to create session:
  // if correct username and password entered then create session
  String financeAdminSess = adminUsername;
  session.setAttribute("financeAdminSess", adminUsername);                                        
  String redirectURL = "finance_admin_home.jsp";
  response.sendRedirect(redirectURL);
  and here is the code for loggin out:
  // get session
  String financeAdminSess=(String) session.getAttribute("financeAdminSess");
  // remove session
  session.removeAttribute("financeAdminSess<br />");
  // invalidate session
  session.invalidate();
  Any suggestion would be much appreciated.
  Thanks
  Shaxo

• Invalidate Session at all Cluster Weblogic

  hi all,
  i try to save user session in a hashmap on every cluster. and when i need to invalidate it, i will take specified session id. and invalidate it where the session created with normal way to invalidate session.
  public class SessionListener implements HttpSessionListener {
  public HashMap<String, HttpSession> sessionHolder = new HashMap<String, HttpSession>();
  @Override
  public void sessionCreated(HttpSessionEvent se) {
  sessionHolder.put(se.getSession().getId(), se.getSession());
  public void invalidate(String sessionId){
  if(this.sessionHolder.get(sessionId)!= null){
  System.out.println("Invalidate session ID : " + sessionId);
  HttpSession session = sessionHolder.get(sessionId);
  session.invalidate();
  } else {
  System.out.println("Session is not created in this cluster ID : " + sessionId);
  @Override
  public void sessionDestroyed(HttpSessionEvent se) {
  System.out.println("Session " + se.getSession().getId() + " has been destoryed");
  sessionHolder.remove(se.getSession().getId());
  session will perish where invalidate occur. but on other cluster session is still avaliable.
  why the session on other cluster is still. and how to also invalidate session on other cluster.
  thanks.
  Edited by: jeggy on Jan 20, 2011 8:47 PM

  Can you provide little bit more information on how many servers, clusters you have and what kind of replication etc?

• Invalidate session in another context

  Hi everyone,
  In a nutshell, how to invalidate session of another context residing in another server?
  If it is not possible, what is the best approach to achieve something similar to that?
  Thanks for reading this.
  Z

  u can as well use the MBean interface implementations for Tomcat (JBoss)
  and call some public method of a MBean under name "jboss.web:type=Manager,path=/,host=localhost,*" - like 'expireSession' passing the sessionId string as param
  Rafal Baton Zaczynski
  http://baton.pop.e-wro.pl - Java/JSF/JavaScript - tips&tuts

• Reload Page + Invalidate Session

  (ADF 11gR1 ADFBC) I have an ADF application which can be run with different contexts.
  Every user has a “last_selected_context” stored in the database.
  When launching the application, I fetch this “last selected context” and in the “beforePhase” of the “PagePhaseListener”, I set all my session variables for this context.
  Users may swap from a context to another by selecting it from a popup.
  My problem is : when a user select another context, I have to invalidate the session and reload the page.
  I did this in a function “reloadThePage()”
      public static void reloadThePage()
        FacesContext fContext = FacesContext.getCurrentInstance();
        String viewId = fContext.getViewRoot().getViewId();
        String actionUrl = fContext.getApplication().getViewHandler().getActionURL(fContext, viewId);
        try
          ExternalContext eContext = fContext.getExternalContext();
          String resourceUrl = actionUrl;
         // Invalidate Session
         HttpSession session = (HttpSession)JSFUtils.getFacesContext().getExternalContext().getSession(false);
          if (session != null) {
              session.invalidate();
          eContext.redirect(resourceUrl);
        catch (IOException ioe)
          System.err.println("Problem trying to reload the page:");
          ioe.printStackTrace();
      }It is working fine, but I have this Warning message every time a change the context: Because of inactivity, your session has timed out and is no longer active.  Click OK to reload the page+.
  Is there a way to avoid this Warning message?
  Thanks & Regards
  Nicolas

  Hi Timo,
  Thanks for your help.
  I've tried this but I still have the same warning message.
      public static void reloadThePage()
        FacesContext fContext = FacesContext.getCurrentInstance();
        try
          ExternalContext eContext = fContext.getExternalContext();
          String resourceUrl = "/hr2/faces/home"; 
          // Invalidate Session
          HttpSession session = (HttpSession)JSFUtils.getFacesContext().getExternalContext().getSession(false);
          if (session != null) {
              session.invalidate();
          eContext.redirect(resourceUrl);
        catch (IOException ioe)
          System.err.println("Problem trying to reload the page:");
          ioe.printStackTrace();
      }Any other suggestion ?
  Thanks & Regards
  Nicolas

• [svn] 1502: Bug: BLZ-148 - Repeat invocation of invalidate() on HttpFlexSession throws java.lang.IllegalStateException: invalidate: Session already invalidated

  Revision: 1502
  Author: [email protected]
  Date: 2008-04-30 16:36:53 -0700 (Wed, 30 Apr 2008)
  Log Message:
  Bug: BLZ-148 - Repeat invocation of invalidate() on HttpFlexSession throws java.lang.IllegalStateException: invalidate: Session already invalidated
  QA: Yes
  Doc: No
  Ticket Links:
  http://bugs.adobe.com/jira/browse/BLZ-148
  Modified Paths:
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/HttpFlexSession.java

• How can i invalidate Session when a browser crashes?

  Hi
  How can i invalidate session when a browser window closed or crashed unexpectedly.
  If user closed the browser window using File->Close, then i'm calling javascript function .... and it is working fine. But when browser window is hanged and closed using ENDTASK, how can i kill that session.
  Please help
  Thanks
  -Vidyadhar

  Well you can't. Execution halts, so anything you would want to do is made impossible: that's why crashes are the #1 enemy of any software developer (that and impossible deadlines). The webserver will remove the session manually when it times out though.

• How to invalidate session in absence of activity

  hello ppl
  i hav a prob...i want to invalidate my session if no activity happens on my screen for a specified period...how do i
  chk the time and also how do i track my activity....
  i also need to display a prompt to the user informing of the time expiry and need a response from him
  can anybody help me out with this?????

  BalusC wrote:
  Hari.Rangarajan wrote:
  hello ppl
  i hav a prob...i want to invalidate my session if no activity happens on my screen for a specified period...how do i
  chk the time and also how do i track my activity....It happens automagically when the session times out according to the appserver's default setting (usually 30 minutes) or your setting in the web.xml as suggested before.
  i also need to display a prompt to the user informing of the time expiry and need a response from himHTTP disallows push, so forget about it. Best what you can do is to use Javascript's setTimeout() function in combination with HttpSession#getMaxInactiveInterval(). This way you can use Javascript to show some message in the page when the session is timed out.I'm afraid that wass what was explained under the URL(Earlier Post) which was what metioned in my earlier reply.
  Why are repeating the same solution out here ??

• How to invalidate session in JSP?

  I am new to web development.
  I have tried to invalidate a session with session.invalidate() but this does not seem to have invalidated the session. Any Help Please??

  please elaborate on your problem,
  session.invalidate(false) should work..false means, if there is a session, invalidate, if not..DONT create one...

• Not able to invalidate session

  I am storing an attritbute in a session as set.setAttribute and do sessionName.invalidate() when I hit logout. However, next time when I access the servlet, I am still able to retrieve the value of the attribute set last time which should be null. Please let me know the plausible reason for not getting the desired behaviour.

  The defined behaviour for HttpSession.invalidate() is to make the session invalid and unbind all objects. However, this depends on the implementation provided by the servlet container. Some servlet containers actually retain the session attributes even after the session has been invalidated.
  One way of getting around this is to close the browser window and open a new one using some gawky scripting. Someone suggested to me sometime ago that a response.sendRedirect() to some logout page would also help.

• Invalidate session. BindingContext exception

  Hi there,
  I am trying to invalidate the session calling invalidate() method of HttpServletResponse object after retrieved the session. I get an error concerns about BindingContext.
  The exception is BindingContext is null on the session.+
  I am using ADF Model BC and JDeveveloper 11.1.1.3.0
  ExternalContext ec = fc.getExternalContext();
  HttpServletRequest req = (HttpServletRequest) ec.getRequest();
  HttpServletResponse res = (HttpServletResponse) ec.getResponse();
  HttpSession ses = (HttpSession) req.getSession(false);
  ses.invalidate();
  Thanks, al

  Hi,
  after invalidating the session, you need to perform a rediret if you want to continue with the application. The ADF binding object is a Map in teh user session and is removed when you invalidate the session. A redirect re-builds the binding object
  Frank

• How to invalidate session ids

  dear all ,
  Any knows how to invalidate the session ids .
  Ex . Server maintains maintains many client session ids
  I want invalidate those client session ids ,,,'

  There are several cases when a session is invalidated:
  1. when the time specified in web.xml elapsed (session-timeout tag) - this is specified for the entire server
  2. when using session.setMaxInactiveInterval. specs:
  "Specifies the time, in seconds, between client requests before the servlet container will invalidate this session."
  3. when you call session.invalidate() specs: " Invalidates this session then unbinds any objects bound to it." With this, the session is immediately invalidated.

• Invalidate session when user clicks back button

  I want to invalidate the session when user clicks back button, so that user cannot refresh and reload a page.
  Any suggestions will be highly appreciated.
  Message was edited by:
  sam_amc

  * SessionInvalidator.java
  * Created on October 27, 2006, 9:18 AM
  package web;
  import java.io.*;
  import java.net.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  * @author javious
  * @version
  public class SessionInvalidator extends HttpServlet {
      /** Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
       * @param request servlet request
       * @param response servlet response
      protected void processRequest(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
          response.setContentType("text/html;charset=UTF-8");
          PrintWriter out = response.getWriter();
          String reposted = request.getParameter("reposted");
          if("true".equals(reposted))
              HttpSession session = request.getSession(false);
              if(session == null)
                  // This is step 4 and beyond
                  out.println("<html>");
                  out.println("<head>");
                  out.println("<title>Servlet SessionInvalidator</title>");
                  out.println("</head>");
                  out.println("<body>");
                  out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
                  out.println("I said, your session is now invalid! Now where are those Duke Dollars at?");
                  out.println("</body>");
                  out.println("</html>");
              else
                  Integer hitCount = (Integer)session.getAttribute("hitCount");
                  if(hitCount == null)
                      // This is step 2 (the "good" - "stay" page.)
                      out.println("<html>");
                      out.println("<head>");
                      out.println("<title>Servlet SessionInvalidator</title>");
                      out.println("</head>");
                      out.println("<body>");
                      out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
                      out.println("Your session is good.<br>");
                      out.println("If you click the browser's back button, you will invalidate your session.");
                      out.println("</body>");
                      out.println("</html>");
                      hitCount = 1;
                      session.setAttribute("hitCount", hitCount);
                  else
                      //We've used up our good visit
                      session.invalidate();
                      // This is step 3
                      out.println("<html>");
                      out.println("<head>");
                      out.println("<title>Servlet SessionInvalidator</title>");
                      out.println("</head>");
                      out.println("<body>");
                      out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
                      out.println("Your session is now invalid");
                      out.println("</body>");
                      out.println("</html>");
          else
              // because the javascript in the following output will never allow a user
              // to continue clicking back any further than this, we can safely create the session.
              // (or perhaps the session can already be created here and this may not be necessary).
              // A problem lies where if the user chooses to "select" a page back in history they thereby
              // potentially skip back "over" this functionality, thus defeating the purpose of it.
              request.getSession(true);
              // This is step 1 (indirection)
              out.println("<html>");
              out.println("<head>");
              out.println("<title>Servlet SessionInvalidator</title>");
              out.println("</head>");
              out.println("<body onload=\"document.getElementById('invalidatorForm').submit()\">");
              out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
              out.println("<form id=\"invalidatorForm\" action=\"SessionInvalidator\" method=\"POST\">");
              out.println("<input type=\"hidden\" name=\"reposted\" value=\"true\">");
              out.println("</form>");
              out.println("</body>");
              out.println("</html>");
          out.close();
      // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
      /** Handles the HTTP <code>GET</code> method.
       * @param request servlet request
       * @param response servlet response
      protected void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
          processRequest(request, response);
      /** Handles the HTTP <code>POST</code> method.
       * @param request servlet request
       * @param response servlet response
      protected void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
          processRequest(request, response);
      /** Returns a short description of the servlet.
      public String getServletInfo() {
          return "Short description";
      // </editor-fold>
  }The problem with even attempting to do this is that with today's browser capabilities, users can optionally choose to jump to a particular page in the browser history and this may not necessarily be the most recent page. In this case, you would also want to invalidate the user's session after already having been there (whatever page that may be). Then you have situations when the user may wish to jump back in history to external pages they were visiting before they reached your own site's pages. Then what happens when they start clicking forward, forward, etc... from there? This is why I prefer writing Swing Clients as alternatives to browser applications. There are soo many possible ways break web applications made for standard web browsers both maliciously and simply by accident or irregular user patterns. Regardless, this servlet would work based on the assumption that all the user(s) would "ever" do aside from moving logically forward is clicking on the browser's "back" button.
  cheers!
  Message was edited by:
  javious