Session invalidate not working

Question

 < ?xml version="1.0" encoding="UTF-8"?>
  <  beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:p="http://www.springframework.org/schema/p" 
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    < security:global-method-security secured-annotations="enabled" />
   <  security:http> 
       < security:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     <  security:intercept-url pattern="/login123" access="ROLE_ADMIN" />
      <  security:intercept-url pattern="/employee1" access="ROLE_EMPLOYEE"/>
      < security:intercept-url pattern="/emppreviewshow" access="ROLE_EMPLOYEE"/>
       < security:access-denied-handler error-page="/login"/>

    <security:form-login login-page="/login" default-target-url="/index"
        authentication-failure-url="/fail2login" 
        username-parameter="username"
        password-parameter="j_password" />
        <security:session-management invalid-session-url="/logout" session-fixation-protection="newSession" >
       <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>
    <security:logout logout-success-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true"/>

</security:http>

    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" >
     <constructor-arg name="strength" value="255" />
</bean>

<security:authentication-manager>
  <security:authentication-provider>
    <security:jdbc-user-service data-source-ref="dataSource"
            users-by-username-query=
                "select username,password, enabled from USER_MASTER where username=?"
            authorities-by-username-query=
                "select username,USER_ROLE from USER_ROLE where username =?  " />
                <security:password-encoder ref="passwordEncoder" />
  </security:authentication-provider>
</security:authentication-manager>

when i am clicking the logout and when clicking the back button of browser still it is showing the old pages.I want the same login url to be shown when back button is clicked in browser.

Answer 1

you can check the session is active in your all the methods of the controller classes.ie.,request mapped classes,methods.if the session is active then return the page.otherwise redirect to login page.

Answer 2

Welcome to the world of client vs server! Invalidating a session is an on server operation. Assuming that the session id is passed in a cookie, it means that next request containing that cookie will not be member of the previous session, and so you will activate all the "please login first" machinery.

But under normal conditions, hitting the back button on a browser does not send a new request but just display the last page from the local cache. Thus it is a client only operation.

As an application developper, there is little that you can do. You could try to use javascript to hide back button, catch it, or clean the cache. But if I were you, I won't dare to think about that: you are likely to fall in browser compatibiliy problem, for something that you should not care about. What user reads locally is its own problem. If he/she made a printed copy of a page, you would not take a lighter to burn it when the session is over. The cached pages are the same: a local copy. That's the reason why on explicit disconnection you often see a message asking to close the browser window. Itsi the only way for the user to be sure not to read offline copies if he/she click on the back button.

Answer 3

i cannot use the invalidate-session. i just add the "authentication-success-handler-ref" . and set a session inside there.after login the session is set to true.and after logout the sesison is set to false.

this is the code: Securuty-context.xml

<bean id="customAuthenticationSuccessHandler" class="org.dewbyte.corebank.utility.CustomAuthenticationSuccessHandler"/>

root-context.xml

<bean id="LogoutSuccessHandler" class="org.dewbyte.corebank.utility.LogoutSuccessHandler" />

CustomAuthenticationSuccessHandler class

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler{

private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

@Override
public void onAuthenticationSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws IOException, ServletException {

    request.getSession().setAttribute("loginStatus", "true");
    String targetUrl = "/dashboard"; 
    redirectStrategy.sendRedirect(request, response, targetUrl);

}

public RedirectStrategy getRedirectStrategy() {
    return redirectStrategy;
}

public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
    this.redirectStrategy = redirectStrategy;
}

}

LogoutSuccessHandler class

public class LogoutSuccessHandler implements org.springframework.security.web.authentication.logout.LogoutSuccessHandler{

private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

public RedirectStrategy getRedirectStrategy() {
    return redirectStrategy;
}

public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
    this.redirectStrategy = redirectStrategy;
}

@Override
public void onLogoutSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws IOException, ServletException {

    request.getSession().setAttribute("loginStatus", "false");
    String targetUrl = "/"; 
    redirectStrategy.sendRedirect(request, response, targetUrl);

}

}

check the session is true or false in every methods in the controller classes.

Controller class

if (request.getSession().getAttribute("loginStatus").equals("true")) 
    {
return home;
}
else
return login;