problem in login again after logout

[Tirka]

Hi All,

i have this small jsp web application where
i log out using session.invalidate(). After loggin out,
if i login again, i cannot access the links;if i click on any links it
is redirected to the index/login page.
But then if i close the browser, and login, this time
it works fine.
i'll be much obliged if any can help.

[FON]

When you log out you call your app logic to explicitly do session.invalidate().

But when you just close browser
session on server side is NOT invalidated, and NOT expired !

You should sniff you traffic to see how your server (Tomcat maybe) works.

In my case:

TOMCAT writes SESSIONID in Header of HTTP response automatically,
and behind the scenes PERSISTENT cookie is created on client with this SESSIONID
(or sent as part of a rewritten URL.)

Tomcat response to login:
---
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E96CDDC56BC7E03C924FEFC0E2735663; Path=/Framework
Content-Type: text/html;charset=UTF-8
Content-Length: 423
Date: Fri, 04 Dec 2009 11:05:18 GMT
---

I suggest you should look in your browser and find cookie.
I use Firefox.

If you have "Web Developer plug-in" installed in Firefox you can track session cookies after login:

(Firefox => Web Developer plugin => Cookies => View Cookie Information)

Name JSESSIONID
Value E96CDDC56BC7E03C924FEFC0E2735663
Host localhost
Path /Framework
Secure No
Expires At End Of Session

Now, - If you manually delete cookie - you cannot continue using application - you must log in again !

CONCLUSION:
User close browser.
User starts app again.
Using this SESSIONID from persistent cookie, user can login because there is still alive
session on server with same SESSIONID, that was NOT invalidated nor it has expired

Do spend some time on this issue
and please share your opinion with others here

i hope i helped you
;)

[Tirka]

Thanks Fon,
Sorry that i couldn't get to you earlier.
I was doing some research on session invalidation for abrupt browser
closing and got some script in Ajax that that keeps validating the existence
of the session once every X seconds.But it is not working the way it should.
Once it turns out to be fault free, i will post it....soon.

[FON]

That would be nice of you,
this is very common problem