Clever Geek Handbook

Destroys user session during logout?

I wanted to understand how we can implement a secure method to log into a website. I am trying to exit a page in jsp. Destroys the session enough when the user hits the logout button? If this is not what is required to log out, is it a safe operation for the user?

+3


source to share


5 answers


In general, I would say yes, but it depends on what other information you can store on the client side. For example, if you have sensitive cookies (hopefully you don’t), you should clear them as well.



+4


source


If you store user-related cookies, you also need to clear them. In other words, any information your server uses to identify a user must be cleared. If this is just a session, then in your case it is enough.



+3


source


Define "safe".

You probably also want to disable caching so that clicking the Back button does not display potentially sensitive information. Other than that, I'm not sure what else is bothering you.

0


source


Depends on your application requirement what kind of functionality you want during logout. Apart from refreshing or dropping the user's session multiple times in the session, there are several variables, these must also be properly released.

0


source


Yes, once you invalidate the session the session id is no longer valid, probably the session cookie will be destroyed as well, so the session will not be deleted (along with all data stored in the session).

To log out (from servlet or JSP page):

<% 
   HttpSession s = request.getSession(); 
   s.invalidate();
%>

This was the easy part. Now, if you save some important user data in a user cookie, make sure you clear it. The same goes for HTML 5 local storage - it needs to be manually cleaned up.

0


source






More articles:


All Articles