[英]Java Session invalidate and timeout does not work
All works fine but the logout and the session destroy doesnt work and i dont know why. 一切正常,但注销和会话销毁无效,我也不知道为什么。
Why i can get access to protected Area if session is invalidate or session-timeout is reach. 如果会话无效或达到会话超时,为什么可以访问保护区。
Look at this HTTP-Server-Monitor 看看这个HTTP服务器监控器
'http://localhost:8080/psg/admin/'
<security-constraint>
<display-name>My First Sec Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
..
Login Servlet mapped to /admin/ 登录Servlet映射到/ admin /
HttpSession session = request.getSession();
if (session != null) {
session.setAttribute("ID", session.getId());
session.setAttribute("User", request.getRemoteUser());
session.setAttribute("isAuthenticated", true);
getServletContext().getRequestDispatcher("/index.jsp").forward(request, response);
}
Logout Servlet mapped to /admin/logout 注销Servlet映射到/ admin / logout
HttpSession session = request.getSession(false);
if(session!=null){
session.invalidate();
response.sendRedirect(request.getContextPath());
}
The same issue if the session-timeout must be destroy the session. 如果会话超时必须销毁会话,则会出现相同的问题。 I can also get a valid session after this Duration if i enter the protected area /psg/admin/ 如果我输入受保护的区域/ psg / admin /,则在“持续时间”之后我也可以获得一个有效的会话
<session-timeout>1</session-timeout>
In case of basic and digest authentication browser will resend user credentials, so effectively there is no logout, only session invalidation. 如果使用基本身份验证和摘要身份验证,浏览器将重新发送用户凭据,因此实际上没有注销,只有会话无效。
You need to use form-based authentication for logout to work. 您需要使用基于表单的身份验证才能注销。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.