I am trying to use the logo开发者_如何学JAVAut functionality provided by Spring security.
The logging out works fine. The session gets invalidated(by calling logout method in SecurityContextLogoutHandler class). The user is redirected to the login page.
However, when I press the back button, I see the below code having a valid session id.The req.getRequestedSessionId() is NOT null. A New session is created.
if (req.getRequestedSessionId() != null &&
!req.isRequestedSessionIdValid())
{
chain.doFilter(request, response);
return;
}
We also have the following code in the LogoutFilter.
HttpServletResponse resp = (HttpServletResponse) res;
resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT");
resp.setHeader("Last-Modified", new Date().toString());
resp.setHeader("Cache-Control", "no-store, no-cache,
must-revalidate, max-age=0,
post-check=0, pre-check=0");
resp.setHeader("Pragma", "no-cache");
Is it some problem with browser? Am I missing something?
The servlet API have two methods for getting session from a request:
getSession()
and
getSession(boolean create)
The first method always return a session, creating new if one doesn't exist. The second method can be used to control whether or not a new session should be created if none exists.
Having said that, I think this is not much of an issue. An empty session usually have no impact on application's security or anything else (apart from a small memory footprint).
EDIT:
It is possible that during the logout procedure some redirect caused another request which established a new session. IF you really want to track it down, use firebug or similar tool to track all the requests in logout sequence and compare jsessionid cookie on each of the requests.
One possible way to achieve this check is probably verifying the SecurityContext, instead of the HttpSession in your Filter.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论