Logout Methods, Suggestions Please

[Talking with Tonz - Emery Z. Balint Jr.]

Hello all,

I am creating a Web application which requires the user to login. I am
wondering if I can make the logout system better. Any suggestions would be
very helpful. Here's what I've done so far and what happens in steps:

1. Upon login the user is stored in the session.
2. The user is also stored in the ServletContext so they cannot login twice.
3. Upon logout, the user is removed from the ServletContext and the session
is invalidated. Works great.

4. But when the user forgets to logout and simply closes the browser, the
session lingers until timeout and the ServletContext still has the user in
it. So the user cannot login again!

5. To remedy this, what I've done is the next time the user wants to login I
check the last time they have accessed the session (this I store and update
in the ServletContext as the user uses the Web application). So if 20
minutes has passed then I know that the session has timed-out and I allow
the user to login again. I update the ServletContext and away the user goes.

Now although this works, if the user forgets to logout they'll have to wait
about 20 minutes before logging in again. Somewhat of a hassle, although
fairly secure. So I'm curious, anyone have any suggestions to perhaps make
this better?

M.

P.S. I'm using Tomcat 4.1.24 and I'm sticking to the MVC model. I have a
controller servlet, a bunch of other classes for various other tasks. JSP's
are used for presentation. MySQL for storage.

/\^/\^/\
Sun Certified Java Programmer
www.websamba.com/javarobotics/
E-stronomy - Astronomical Resources
www.websamba.com/e-stronomy/
Talking with Tonz - Dance/Alternative Music
www.soundclick.com/talkingwithtonz/

 

[Talking with Tonz - Emery Z. Balint Jr.]

Why not register a listener that gets the user out of the servlet context
when the session is timed out?

I actually tried that, but I got no response at all, it didnt' work. Here's
my code listed below. By chance did I do something wrong? The web.xml file
has the listener entry there, and I know (by using System.out.println())
that the session is being created and destroyed, but if you try this you'll
find that the ctx doesn't show up. Actually any println() will not show up
after the session is printed out. I have no clue why, thought that would
work too.

M.
/\^/\^/\
Sun Certified Java Programmer
www.websamba.com/javarobotics/
E-stronomy - Astronomical Resources
www.websamba.com/e-stronomy/
Talking with Tonz - Dance/Alternative Music
www.soundclick.com/talkingwithtonz/


public final class NSBBSListener implements HttpSessionListener {

public void sessionCreated(HttpSessionEvent se) {
// Do nothing
}

public void sessionDestroyed(HttpSessionEvent se) {

System.out.println("Session Destoryed");

// Get the session from the event
HttpSession session = se.getSession();

System.out.println(session);

// Line below returns a string, basically the
// username from an object stored in the session
String username =
((UserInfo)session.getAttribute("userInfo")).getUserAuth();

System.out.println(username);

// Get the ServletContext reference storeed in the session
ServletContext ctx =
(ServletContext)session.getAttribute("context");

System.out.println(ctx);

// Removes the user form the context
// (stored as "username", "username" in context
ctx.removeAttribute(username);
}
}

 

[John C. Bollinger]

I actually tried that, but I got no response at all, it didnt' work. Here's
my code listed below. By chance did I do something wrong?

Maybe. There are some details that could be tripping you up, and I
don't seem to see their implementation described in the servlet
specification, which makes them implementation dependant.

The web.xml file
has the listener entry there, and I know (by using System.out.println())
that the session is being created and destroyed, but if you try this you'll
find that the ctx doesn't show up. Actually any println() will not show up
after the session is printed out. I have no clue why, thought that would
work too.

Have you considered that the application may be throwing an exception?
It would be wise to check your logs for information.

Note that HttpSessionListener.sessionDestroyed is invoked _after_ a
session is invalidated. The method HttpSession.invalidate()
"Invalidates this session then unbinds any objects bound to it." My
guess, then, is that when you try to retrieve the "userInfo" attribute
from the invalidated session you receive a null, which you then proceed
to try to dereference, generating a NullPointerException. (You ought to
be looking out for a null anyway -- what if the user never logged in in
the first place?) I do observe, however, that the API docs establish a
logical separation between invalidating a session and invoking
invalidate() on the corresponding HttpSession object, where the former
is one action that the latter performs; it is therefore a bit unclear as
to where in the sequence HttpSessionListeners should be notified.

An alternative approach would be to make your UserInfo object implement
HttpSessionBindingListener; it could then unbind itself from the
application context when unbound from the session for any reason, and
could even bind itself to the application context when bound to a
session. You do not then need an HttpSessionListener at all.


John Bollinger
(e-mail address removed)

 

[Emery Z. Balint Jr.]

Thank you John for you helpful assistance. I did end up re-working my
application. I was trying to get UserInfo from the session after the objects
were already unbound. So little wonder why that didn't work and I was indeed
getting a null. Shame on me for not checking earlier. I did end up modifying
my app to work with the ServletContext, which can be accessed at pretty much
anytime. So now it does work properly.

I really like the idea of implementing the HttpSessionBindingListener to the
UserInfo object thought, that probably would've made the most sense. I will
look into that for sure. Again thank you.

Emery.
/\^/\^/\
Sun Certified Java Programmer
www.websamba.com/javarobotics/
E-stronomy - Astronomical Resources
www.websamba.com/e-stronomy/
Talking with Tonz - Dance/Alternative Music
www.soundclick.com/talkingwithtonz/