JSP Servlet session invalidate() does not make session null

how to check session is invalidated or not in java
how to invalidate session in jsp after logout
which of the following strategies are used to invalidate the existing session
how to get session id in java
logoutservlet
how to create session in java

I have three simple HttpServlet classes in my JSP project, "LoginServlet", "LogoutServlet" and "ProfileServlet".

  • LoginServlet: log in user by setting "name" attribute to session
  • LogoutServlet: log out user and invalidate session
  • ProfileServlet: display user welcome info if user has logged in

The last two servlets are as below that I reckon are problematic.

@SuppressWarnings("serial")
public class LogoutServlet extends HttpServlet {
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            response.setContentType("text/html");
            PrintWriter out=response.getWriter();

            HttpSession session=request.getSession(false);
            session.invalidate();

            request.getRequestDispatcher("link.jsp").include(request, response);

            out.print("You are successfully logged out!");

            out.close();
    }
}

And

@SuppressWarnings("serial")
public class ProfileServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        request.getRequestDispatcher("link.jsp").include(request, response);

        HttpSession session = request.getSession(false);
        if (session != null) {
            String name = (String) session.getAttribute("name");

            out.print("Hello, " + name + " Welcome to Profile");
        } else {
            out.print("Please login first");
            request.getRequestDispatcher("login.html").include(request,
                    response);
        }
        out.close();
    }
}

And the link.jsp:

<% HttpSession nsession = request.getSession(false);
if(nsession == null) {
%>
<a href="login.html">Login</a>
<%
}
else {
%>
<a href="LogoutServlet">Logout</a>
<%
}
%>
<a href="ProfileServlet">Profile</a>
<hr/>

The problem is while user is logged in, when the "Logout" link is clicked and "LogoutServlet" is called, session is not correctly invalidated and ProfileServlet still prints out

"Hello, null Welcome to Profile"

instead of redirecting to the "login.html" page because the session is still NOT null. As a result of it, "Login" link is not shown on the "link.jsp" page. This stops the user from being able to attempt to log in again.

EDIT: To make the problem clarified, I made a new html page and updated the servlets to do

request.getRequestDispatcher("link.html").include(request, response);

And the "link.html".

<a href="login.html">Login</a>
<a href="LogoutServlet">Logout</a>
<a href="ProfileServlet">Profile</a>
<hr/>

Interestingly this does what I wanted! I guess the problem is

request.getRequestDispatcher("link.jsp").include(request, response);

But I am unable to explain why...


In JSP new session is created by default, if non present, so you will always get non null session. You can disable that by adding following page directive to your page:

<%@ page session="false" %>

For more info check the following Why set a JSP page session = "false" directive?

How to validate and invalidate session in JSP, How do you check session is invalidated or not in Java? I have three simple HttpServlet classes in my JSP project, "LoginServlet", "LogoutServlet" and "ProfileServlet". LoginServlet: log in user by setting "name" attribute to session LogoutServlet: log


When it calls invalidate() it removes that session from server context and all associated data with that session,

When you make new request it creates new one and so you see null as the data because new session doesn't have data in it

You should check for a logical attribute inside session to validate it user is logged in or not, instead of session itself

How do I invalidate user's session?, Learn Servlet · Learn JSP · Learn JSTL · Learn C · Learn C++ · Learn MongoDB We have already seen invalidate() method in session implicit object tutorial. it has a logic to validate the session (checking whether the session is active or not). index.jsp getSession(false); if(nsession!=null) { String data=(String)​session. In JSP new session is created by default, if non present, so you will always get non null session. You can disable that by adding following page directive to your page: <%@ page session="false" %>


That may help You Check it out for condition checking.

Condition To Check:

<%
if (session.getAttribute("name") == null || 
session.getAttribute("name").equals(""))
{
response.sendRedirect("login.jsp");
}
%>

Set Up While Logout:

session.setAttribute("name", "");
session.invalidate();
response.sendRedirect("login.jsp");    

How to check existing session is invalidated or not?, getSession(false); if(session != null){ session.invalidate(); } In my IceFaces application I have a link to an logout JSP/Servlet which is stored  Re: JSP/Servlet session Invalidate. 794117 Jan 5, 2009 7:18 PM ( in response to 843840 ) The reason you are seeing the "old values" is that the page you are viewing was served from the cache, and not actually run again. solution: put the standard no-cache tags on your page, clear your cache, and it should work how you expect it to.


How Servlet and JSP Create Sessions, Servlet · JSP · Taglib or JSP. There is an invalidate() method in the HttpSession interface, this method package org.kodejava.example.servlet; import javax.​servlet. Get an HttpSession related to this request, if no session exist don't This is just a check to see after invalidation the // session will be null. Swastik Dey wrote:As per my knowledge in a jsp page session object can never be null, because if you look at the _jspService method of servlet(jsp compiled servlet) the following line of code gets executed session = pageContext.getSession(); means your session object is not null.


session.invalidate() does not work, If the session object null means, session is already expired or not yet initiated. Use invalidate() method on session object to invalidate a session if the session object is not null. index.jsp: It is having four variables which are being stored in session object. display.jsp: It is fetching the attributes (variables) from session and displaying them. errorpage.jsp: It is first calling session.invalidate() in order to invalidate (make the session inactive) the session and then it has a logic to validate the session (checking whether the session is active or not).


Invalidating a valid session in jsp (JSP forum at Coderanch), Also, remember that 'null' is not an object and equals() method should be used when Calling session.invalidate() in scriptlet code should do exactly that. When a JSP resource is used, container automatically creates a session for it, so we can’t check if session is null to make sure if user has come through login page, so we are using session attribute to validate request. CheckoutPage.jsp is another page and it’s code is given below.