logout date and time without login

Question

Actually I have a serious problem : I saw that somebody has accessed my site from japan while i had not given any login id and password to unauthorized users. I alloted userids and passwords to only authenticated users and i am tracking login, logout time and login and logout IP Addresses details when an authenticated user is logged in. But i found that in my database there is no login time,login userid, login IP address but there is logout time, Logout IP address present in my database where userid is null. How is it possible??? A person from Japan has logged out from my site on 16:20:18 where as he has not logged in how?? Logout without Login?

Need help from experts Please

My web application is of jsp, servlets,java classes and oracle 10g : I have given the following protection:

 1. CSRF Protection 
 2. SQL Injection protection 
 3. XSS Protection 
 4. No Broken Authentication and session 

Very soon i am going to put SSL.

Authentication servlet:

HttpSession session1 = request.getSession(false);
     PrintWriter out = response.getWriter();
      try{
   if(request.getMethod().equalsIgnoreCase("POST")){
String user="";
String timenow="";
String strQuery="";
String today="";
String tour="";
try{
String useridfinal = (String)request.getParameter("userid");
    String userpassfinal = (String)request.getParameter("userpassword");
         Pattern p10 = Pattern.compile("[A-Z0-9a-z]+");// XSS checking
Matcher m10 = p10.matcher(useridfinal);
boolean b10 = m10.matches();
Pattern p11 = Pattern.compile("[A-Z!_,.a-z0-9]+");// XSS checking
Matcher m11 = p11.matcher(userpassfinal);
boolean b11 = m11.matches();
if(useridfinal == null || b10==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
        }
else if(userpassfinal == null || b11==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
else{
try {
  dbconnection db= new dbconnection();
 db.getConnection();
PreparedStatement ps=null;
     PreparedStatement ps2=null;
 ResultSet  rs=null;
ResultSet  rs1=null;
String ipadd="";
     try {
ipadd= request.getRemoteAddr();//tracking IP address
}
catch(Exception e) {
}
               SimpleDateFormat sdfDate = new SimpleDateFormat("dd-MM-yy HH:mm:ss");         
Date now = new Date();
String strDate = sdfDate.format(now);
    if(request.getParameter("userid")!=null &&
        (request.getParameter("userid") == null ? "" != null : !request.getParameter("userid").equals("")) && request.getParameter("userpassword")!=null &&
        (request.getParameter("userpassword") == null ? "" != null : !request.getParameter("userpassword").equals("")))
    {
 if ( session1 != null) {
               session1.invalidate(); }
 session1 = request.getSession(true);
    String s=(String)useridfinal;
       MessageDigest m=MessageDigest.getInstance("MD5");
       m.update(s.getBytes(),0,s.length());
       String encuseridfinal=(new BigInteger(1,m.digest()).toString(16));
      String s1=(String)userpassfinal;
       MessageDigest m1=MessageDigest.getInstance("MD5");
       m1.update(s1.getBytes(),0,s1.length());
       String encuserpassfinal=(new BigInteger(1,m1.digest()).toString(16));
ps= db.con.prepareStatement("select * from login where loginid=? and  loginpass=? ");
ps.setString(1, useridfinal);
ps.setString(2, encuserpassfinal);// encrypted userpassword
     try {
      rs=ps.executeQuery();
       } catch (SQLException ex) { 
        }
      int count=0;
      while(rs.next())
      {
 count++;
try {
  //Initialize SecureRandom
  //This is a lengthy operation, to be done only upon
  //initialization of the application
  SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
  //generate a random number
  String randomNum = new Integer( prng.nextInt() ).toString();
  //get its digest
  MessageDigest sha = MessageDigest.getInstance("SHA-1");
  byte[] result =  sha.digest( randomNum.getBytes() );
String csrf="";

csrf=hexEncode(result);
                try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
tour=strDate1+" "+today;
               try{
           ps2 = db.con.prepareStatement("insert into logindetails (login_id, login_dt, login_ipaddress) values (?, to_date(?, 'DD-MM-YY hh24:mi:ss'),?) ");
               }
               catch(Exception e){
               }
ps2.setString(1, useridfinal);
try{
ps2.setString(2, tour);
}
catch(Exception e){}
try{
ps2.setString(3, ipadd);
}
catch(Exception e){}
try {
 rs1=ps2.executeQuery();
}
catch(SQLException ex){
}
 rs1.close();
 ps2.close();
  } 
               catch(Exception e){
               }
         session1.setAttribute("useridfinal", useridfinal);
      session1.setAttribute("csrftoken", csrf); //csrf token generation      
    response.sendRedirect("home.jsp");
  session1.setAttribute("authenticated", true);  
}
catch(Exception e){}
 }
 try{
       rs.close();
       }
       catch(Exception e){}
       try{
       ps.close();
       }
       catch(Exception e){}
     try{
    db.removeConnection();
     }
 catch(Exception e){}
      if(count==0)
      {
 session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
 response.sendRedirect("login.jsp");
      }
    }
    else {   
 session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
 response.sendRedirect("login.jsp");
}
  } catch (Exception e) {
  }
 }
} catch (Exception e) {
      out.println("please try later");
  }
   }
else{
response.sendRedirect("login.jsp");
}
    } catch (Exception e) {
   response.sendRedirect("login.jsp");
   }
processRequest(request, response);
}
function() {// For generating secure token
return token;
}

Signout Code

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>JSP Page</title>
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META NAME="ROBOTS" CONTENT="NONE"> 
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">
</head>
<body>
     <%
String user="";
HttpSession session1 = request.getSession(false);
if(session1.getAttribute("useridfinal")!=null &&
session1.getAttribute("useridfinal")!="")
{
user = session1.getAttribute("useridfinal").toString();
}
    String today="";
String tour="";
dbconnection db= new dbconnection();
db.getConnection();
PreparedStatement ps=null;
     PreparedStatement ps2=null;
ResultSet  rs=null;
ResultSet  rs1=null;
try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
String useripadd="";
try {
useripadd= request.getRemoteAddr();
}
catch(Exception e) {
}
 tour=strDate1+" "+today;
               try{
           ps2 = db.con.prepareStatement("insert into logindetails 
(loginid,logoutdt,logoutipaddress) values (?,to_date(?, 'DD-MM-YY hh24:mi:ss'),?)");
               }
               catch(Exception e){
               }
ps2.setString(1, user);
try{
ps2.setString(2, tour);
}
catch(Exception e){          }
ps2.setString(3, useripadd);
try {
 rs1=ps2.executeQuery();
}
catch(SQLException ex){
out.println(ex);
}
 rs1.close();
 ps2.close();
db.removeConnection();
 }
               catch(Exception e){
               }
       String csrf="";
request.getSession(false).removeAttribute("useridfinal");
request.getSession(false).removeAttribute("csrftoken");
response.setHeader("Pragma","no-cache"); 
response.setHeader("Cache-Control","no-store"); 
response.setHeader("Expires","0"); 
response.setDateHeader("Expires",-1); 
session1.invalidate();
response.sendRedirect("login.jsp");
%>
</body>

From the IP address i knew that that the location is japan. I do not know how it happened. Any help please?????????

Answer 1

It may be possible that the they may have used proxy for the login-logout and the user will be of your known person only and he may have access to your database and he want to do something wrong with your system so he login and done something wrong. And after that he may have removed his accesstime details.

Answer 2

Suppose your app is hosted at http://your.host.com/app , and suppose your logout JSP is named logout.jsp. If I just use my browser and type http://your.host.com/app/logout.jsp in the address bar and hit enter, you'll have a logout without login in your database. No need to crack anything.

Another possibility is that, since you ignore basically any exception that occurs, the login has succeeded but the insert into the database has failed. It's certainly that which happened, since to insert the login in database, you use executeQuery instead of using executeUpdate .

Your code is really, really, terrible. You should learn to indent code, use JDBC correctly, handle exceptions correctly, use transactions instead of autocommit, and close resultsets, statements and connections in finally blocks. And Java code in JSP is really bad practice.

Read tutorials, and NEVER do catch(Exception) {} .