Same sessionid after invalidating session
Same sessionid after invalidating session - Adult community chat video
I will try and put the problem differently: I have a web application which presents a login page to the user.
By commenting, you are accepting the IBM commenting guidelines and the DISQUS terms of service.
Bill Bill, I agree that the old session is not getting retrieved. If yes, is there a way I can invalidate the cookie.
But my problem is that using a combination of Back and Refresh I am able to login to the application without having to enter the credentials again.
The session associated with the user is identified through a “session token” that is originally generated by the server and is delivered to the browser as a cookie.
The browser then returns the session token with subsequent requests, allowing the server to retrieve the corresponding session object and and thus maintain context with that user.
Once you invalidate the session , how can a user do a back and refresh and access the same ( already invalidated ) session..??
Even if the JSESSIONID is still present the session whose ID it is holding is already invalidated , so how can you get that session back My point is when you say session.invalidate() the session object is destroyed , so even if you use the same browser which will use the same JSESSIONID how will you be able to access an object( the session in this case ) after it has been destroyed..??If you are using get Session() and it does return a session it should be a new one - see the is New() method of Http Session.you should be using get Session( false ) which would return null if the old session has indeed been invalidated.he is again logged into the application without having to reenter the user id and password. No, it just looks like he is logged into the application.Any form submission from that old page will have the old JSESSIONID cookie attached.Contact us to learn how to partner with us to protect your enterprise.