Logout functionality using Servlets and Filters

Question

This is my filter code and the one below that is the doPost() method in my servlet. I'm trying to implement logout functionality. When logout button is clicked, control is sent to the servlet and it then redirects to my login page. However, I'm having a problem in that. The browser says The page is not redirecting properly. I have been going through all the questions in SO on this topic and nothing seems to help me out. I'm also having the back button problem which takes user back to a page even after logging out. Can someone explain what is that I'm doing wrong?

LogoutFilter.java

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    HttpSession session = request.getSession(false);         
     if (session == null || session.getAttribute("loginUsername") == null) {
    response.sendRedirect("login.jsp"); // No logged-in user found, so redirect to login page.
} else {
    response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
    response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
    response.setDateHeader("Expires", 0);
    chain.doFilter(req, res);  
}
}

LogoutServlet.java

protected void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
            request.getSession().invalidate();
            RequestDispatcher rd = request.getRequestDispatcher("login.jsp");
            rd.forward(request, response);

}

EDIT: Also, when I type in a random url of a page from my project, it shows up without the user having to login. What to do to avoid that to happen?

UPDATE: I solved the random url page showing up problem by using some validations and redirecting to the login page accordingly. The logout functionality is working. However, when I press the back button it redirects to the login page itself(as required), BUT, one more press of the back button and the browser shows Document Expired message and if I press refresh, the secure page shows up again. Can anyone tell me what could be the problem here?

Kindly share the url-pattern you set for the filter. – Ayman Oct 23 '13 at 07:31 — Ayman, Oct 23 '13 at 07:31
I've updated the question with the web.xml file – Anjan Baradwaj Oct 23 '13 at 07:47 — Anjan Baradwaj, Oct 23 '13 at 07:47

mkvcvc · Answer 1 · 2013-10-23T08:06:35.783

0

It looks like you have implemented the redirection logic in servlet Filter. This will depending on your filter mapping cause a redirect loop if doFilter is hit every time a request to login.jsp is received.
So the solution would be to url map the filter in such a way that it does not get invoked if the URL relates to login.jsp.
Or you could check if the login.jsp is hit in the filter logic itself. For instance:

boolean isLogin = req.getRequestURI().contains("/login.jsp");
if (!isLogout && (session == null || session.getAttribute("loginUsername") == null)) {
   ...

edited Oct 23 '13 at 08:06

answered Oct 23 '13 at 07:32

mkvcvc

1,515
1
18
41

Still the browser says "The page isn't redirecting properly". – Anjan Baradwaj Oct 23 '13 at 07:47
Try substituting `startsWith(req.getContextPath() + "/logout.jsp")` with `contains("logout.jsp")`. If that still does not help, you should run a debug on it to see the cause of loop redirect, or at least throw a couple of `System.out.println` in it around the `isLogout` variable to see if it gets set properly. – mkvcvc Oct 23 '13 at 07:54
I don't have a `logout.jsp`. I'm redirecting to a servlet for validation. What should I use instead of `logout.jsp`? – Anjan Baradwaj Oct 23 '13 at 08:02
Sorry, that should be `login.jsp`, the one you are trying to redirect to, so as to prevent the loop. Updated the answer. – mkvcvc Oct 23 '13 at 08:07

Logout functionality using Servlets and Filters

1 Answers1