I have three simple HttpServlet classes in my JSP project, "LoginServlet", "LogoutServlet" and "ProfileServlet".
- LoginServlet: log in user by setting "name" attribute to session
- LogoutServlet: log out user and invalidate session
- ProfileServlet: display user welcome info if user has logged in
The last two servlets are as below that I reckon are problematic.
@SuppressWarnings("serial")
public class LogoutServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out=response.getWriter();
HttpSession session=request.getSession(false);
session.invalidate();
request.getRequestDispatcher("link.jsp").include(request, response);
out.print("You are successfully logged out!");
out.close();
}
}
And
@SuppressWarnings("serial")
public class ProfileServlet extends HttpServlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
request.getRequestDispatcher("link.jsp").include(request, response);
HttpSession session = request.getSession(false);
if (session != null) {
String name = (String) session.getAttribute("name");
out.print("Hello, " + name + " Welcome to Profile");
} else {
out.print("Please login first");
request.getRequestDispatcher("login.html").include(request,
response);
}
out.close();
}
}
And the link.jsp:
<% HttpSession nsession = request.getSession(false);
if(nsession == null) {
%>
<a href="login.html">Login</a>
<%
}
else {
%>
<a href="LogoutServlet">Logout</a>
<%
}
%>
<a href="ProfileServlet">Profile</a>
<hr/>
The problem is while user is logged in, when the "Logout" link is clicked and "LogoutServlet" is called, session is not correctly invalidated and ProfileServlet still prints out
"Hello, null Welcome to Profile"
instead of redirecting to the "login.html" page because the session is still NOT null. As a result of it, "Login" link is not shown on the "link.jsp" page. This stops the user from being able to attempt to log in again.
EDIT: To make the problem clarified, I made a new html page and updated the servlets to do
request.getRequestDispatcher("link.html").include(request, response);
And the "link.html".
<a href="login.html">Login</a>
<a href="LogoutServlet">Logout</a>
<a href="ProfileServlet">Profile</a>
<hr/>
Interestingly this does what I wanted! I guess the problem is
request.getRequestDispatcher("link.jsp").include(request, response);
But I am unable to explain why...
When it calls
invalidate()
it removes that session from server context and all associated data with that session,When you make new request it creates new one and so you see
null
as the data because new session doesn't have data in itYou should check for a logical attribute inside
session
to validate it user is logged in or not, instead of session itselfThat may help You Check it out for condition checking.
Condition To Check:
Set Up While Logout:
In JSP new session is created by default, if non present, so you will always get non null session. You can disable that by adding following page directive to your page:
For more info check the following Why set a JSP page session = “false” directive?