Invalidating session in Sun one Applications server 7.1

Question

I am facing a problem on sessions using Servlets and JSP when user login/logout in my application displaying last accessed usernames. When the user logged succussfully in application I am putting user information into session like

HttpSession ssession=request.getSession(false);
session.setattribute(username,"username");

When user clicks on loggout in application. I wrote code

HttpSession ssession=request.getSession(false);

if(session!=null){
   session.invalidate();
}

response.setHeader("Pragma", "cache"); 
response.setHeader("Cache-Control", "private, must-revalidate");

I am checked the session is avaliable or not when user logout. The session is invalidate. But relogin the same browser with different user. I got lastaccess session user. I have already set the respone.setheader for login page and loaded page. I got same problem. This issue occurs only in client side (Production server). We are using Sun One application server 7.1.

I don't understand what happens. Please post the real code (the one you posted can't compile), explain what you're trying to do, what you expect the code to do, and what it actually does. — JB Nizet, Nov 19 '11 at 12:57

score 1 · Answer 1 · edited May 23 '17 at 12:05

There are 2 problems:

You're setting the wrong cache headers. You need to set the following headers:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

You're setting the cache headers on the wrong page. You've to set them on all pages which require a login, not only on the page which appears after logout. You need to create a Filter which does the response header setting job in doFilter() method and then map the filter on an URL pattern covering the pages which require a login such as /app/*, /secured/*, etc.

Invalidating session in Sun one Applications server 7.1

1 Answers1

See also: