How to properly logout of a Java EE 6 Web Application after logging in
Solution 1
You should have logout servlet/jsp which invalidates the session using the following ways:
- Before Servlet 3.0, using
session.invalidate() methodwhich invalidates the session also. - Servlet 3.0 provides a API method
HttpServletRequest.logout()which invalidates only the security context and the session still exists.
And, the Application UI should be providing a link which invokes that logout servlet/jsp
Question: Indeed, how can I force a logout after, say, the session times out, etc?
Answer: The <session-timeout> in web.xml lets you define the timeout value after which the session will get invalidated by the server.
Solution 2
You can do it programmatically using the logout()-Method of HttpServletRequest.
There is also a corresponding method for login in with username and password. These methods have been added in Servlet 3.0, so they're available in Java EE 6.
A timeout is a different beast and can be specified in web.xml as following:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
The time unit is minutes.
Solution 3
Two step process -
1.create the logout page
2.create a session bean with a logout method
STEP A: The Logout Page
<div class="mytext">
<p>Hello #{userSession.username}, </p>
<p><h:outputText value="It doesn't seem you're logged in anyway..." rendered="#{!userSession.userLoggedIn}" /></p>
</div>
<h:form class="mytext" rendered="#{userSession.userLoggedIn}" >
<h:panelGrid columns="2" >
<h:outputLabel value="Do you want to logout?" for="logout" />
<p:commandButton value="Logout" id="logout" action="#{userSession.logout}" />
</h:panelGrid>
</h:form>
STEP B: Session Bean Backing Code (snippet)
public String logout() {
HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
session.invalidate();
return "/index?faces-redirect=true";
}
public boolean isUserLoggedIn() {
String user = this.getUsername();
boolean result = !((user == null)|| user.isEmpty());
return result;
}
/** Get the login username if it exists */
public String getUsername() {
String user = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
return user;
}
smagrath
Updated on May 10, 2020Comments
-
smagrath about 4 years
A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again?
Most (all?) the books and tutorials I have seen show how to add a login/loginerror page to their application and demonstrate the use of security principals/roles/realms etc using the "j_security_check" method - all good. But then it's not clear how to give the user the power to logout. Indeed, how can I force a logout after, say, the session times out, etc?
-
Ramesh PVK almost 12 yearsThis is available only since Servlet 3.0 -
ftr almost 12 yearsYes, but the question specifically mentions JEE 6, so Servlet 3.0 is fine
-
smagrath almost 12 yearsThanks Ramesh - that allowed me to put it together properly I think. One thing I picked up elsewhere was the importance of
return "/index?faces-redirect=true";- this is needed to break the existing session and any client-side caching that may be going on. -
ammianus almost 10 yearsFor clarity Servlet 3.0 you must do both logout() and session.invalidate()?
-
David Leppik about 7 yearsIf you logout without invalidating the session, you ought to have a really good reason since it opens you up to information leakage. Users who log out intentionally expect to be treated as if they'd never logged in—especially if they're using a public terminal! See owasp.org/index.php/… -
Cristian Hoyos over 6 yearsProbably I don't understand good this answer: "in web.xml lets you define the timeout value after which the session will get invalidated by the server" I understand that this session timeout is the time that container waits after session is invalidated; and It's not correct, because this session timeout param is the time which container waits if it does not receive a request to can invalidate the session.
