Following is the way i have implemented :- In the Controller Servlet i am making a check to see it the current Session is valid by invoking the method Requested Session Id Valid() and if it is not a valid session then the user should be redirected to the login page. Due to security reasons it is required that in case the user is currently sitting idle for too long (say 5 min's) then the application "should automatically log the user out" Secondly, i am also having problems destroying a session when the user clicks on the "logout" button. I have currently implemented it in the same fashion.
Webfaction API - Fault returned 'is_disabled' How to create a website using xml-rpc api Webfaction API: update_website exception API connection certificate error API for Usage Does an alternative exist to create_dns_override for IPv6?is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers.The Sun Java System Web Server supports the servlet standard session interface, called A cookie is a small collection of information that can be transmitted to a calling browser, which retrieves it on each subsequent call from the browser so that the server can recognize calls from the same client.A cookie is returned with each call to the site that created it, unless it expires.Is there any way to invalidate the session ID so they can no longer be used for subsequent API calls?
I know the session ID expires 1 hour after inactivity, but this means that it is possible someone could extend the life of the session ID for an indefinitely long period of time.
You may also want to post a support ticket if we do not get back to you in a timely manner.
Web Faction API using PHP Web Faction API: Read file 'list_emails' API change?
Now, when the back button is pressed and any of the site links are clicked the user gets to have a look at all the site information as though he has'nt yet logged out. However, i noticed after printing the session ID on each jsp that when the "logout" button is clicked and the user is directed to a "thank you" page then, on that page a different session id is being printed on the jsp page. However, at that point of time i would'nt want an internal site page to still be viewable to others.
Now, when the back button is pressed and any of the site links are clicked the user gets to have a look at all the site information as though he has'nt yet logged out. In other words, if the system is idle for some time then, an automatic redirection should take place.
Sessions are used for maintaining user specific state, including persistent objects (such as handles to database result sets) and authenticated user identities, among many interactions.