Best place for clearing the session

Brian_S · February 10, 2014, 12:43pm

Hi All,

I am using Vaadin 7.1.10 and I have 3 views, a logon page, main view and a logout page. On the enter method of the logout page I closing the session, which gets rid of the Vaadin session. However, I want to be able to destroy the underlying HttpSession. When I tried it in the enter method I receive a NullPointerException. I tried placing it on the button to logoff in the main view and I got the same result. Where should I be placing the session.invalidate()?

Regards,
Brian

Krishna · February 10, 2014, 2:04pm

Hello Brian,

Try to do some thing like this.

When ever user clicks on logout, take him to the logout view. In the enter method try to do something like this

VaadinSession vSession = VaadinSession.getCurrent();
WrappedSession httpSession = vSession.getSession();
httpSession.invalidate();

I think it would be appropriate to redirect the user to a default page, after invalidating the session, using Page.setLocation(“”) , once the user clicks on logout rather than redirecting him to a logout view, because once the session is invalidated when ever user tries to perform some action on the UI he would get a Session Expired Message(the red color box).

Hope some one from Vaadin Team would give you a better solution in this use case. If its me I would do some thing like above.

Thanks,
Krishna

Brian_S · February 10, 2014, 4:43pm

Hi, thanks for the info. I had something like this already, but I am receiving a NullPointerException. I understand that the underlying session means that the components will be rendered useless, which is what I want. For security purposes the underlying session needs to be invalidated.

Regards,
Brian

Krishna · February 10, 2014, 5:38pm

Hello Brian,

I have tried some thing like this and it worked -

 VaadinSession vSession = VaadinSession.getCurrent();
 WrappedSession httpSession = vSession.getSession();
//Invalidate HttpSession
 httpSession.invalidate();
//Redirect the user to the login/default Page
 Page.getCurrent().setLocation("/MyApp");

Hope this helps you. Please let me know if require any additional info. I have embedded this code in my logout button click listener.

Thanks,
Krishna.

David3 · February 10, 2014, 7:23pm

Note that if you redirect to an URL that is also a Vaadin app, a new session will be started as Vaadin requires a session.

We do something similar, but our login page is a JSP that is outside of Vaadin and so doesn’t create a session until we authenticate them and then redirect to the Vaadin app.

For logoffs, we do something similar with a JSP that handles the logoff message and it also ensures that any session is ended (and it can automatically redirect to the login page if that makes sense). This ensures, also, if they use the BACK button, the Vaadin app is no longer displayed after a logoff.

Brian_S · February 11, 2014, 8:56am

Krishna Phani Kumar:

Hello Brian,

I have tried some thing like this and it worked -
 VaadinSession vSession = VaadinSession.getCurrent();
 WrappedSession httpSession = vSession.getSession();
//Invalidate HttpSession
 httpSession.invalidate();
//Redirect the user to the login/default Page
 Page.getCurrent().setLocation("/MyApp");
Hope this helps you. Please let me know if require any additional info. I have embedded this code in my logout button click listener.

Thanks,
Krishna.

Hi, thanks for the info, but I am still receiving a NPE on the clickListener when invalidating the session. I was trying to avoid having external JSPs, but I may have to use them to invalidate the session.

Regards,
Brian

Krishna · February 11, 2014, 9:17am

Hello Brian,

Can you please share the snippet of logout? and point out where exactly you are receiving the null pointer exception.
The one I posted is a tested snippet and will fill in any gaps if found.

Thanks,
Krishna.

Brian_S · February 11, 2014, 9:30am

Sure. This is an example of the code in the logoff view.

public class Logout extends CustomComponent implements View  {
    private static final long serialVersionUID = -2011157981229010156L;
    public static final String NAME = "logout";    

    public Logout() {
        Page.getCurrent().setTitle("Logout");
        setSizeFull();
        
        Label errorMsg = new Label("Thank you for using the system.");
        errorMsg.setWidth("300px");

        Link link = new Link("Click here to login", new ExternalResource(VaadinServlet.getCurrent().getServletContext().getContextPath()));
        
        VerticalLayout form = new VerticalLayout();
        form.addComponent(errorMsg);
        form.addComponent(link);
        form.setSpacing(true);
        form.setMargin(new MarginInfo(true, true, true, true));
        
        Panel panel = new Panel("Logged Out");
        panel.setWidth("450px");
        panel.setContent(form);
        
        VerticalLayout viewLayout = new VerticalLayout(panel);
        viewLayout.setSizeFull();
        viewLayout.setComponentAlignment(panel, Alignment.MIDDLE_CENTER);

        setCompositionRoot(viewLayout);
    }
@Override
    public void enter(ViewChangeEvent event) {
        
        VaadinSession vSession = VaadinSession.getCurrent();
        WrappedSession httpSession = vSession.getSession();
        httpSession.invalidate();
    }
}

[2/11/14 9:29:35:163 GMT]
000000a7 DefaultErrorH E
java.lang.NullPointerException
at com.vaadin.server.communication.MetadataWriter.write(MetadataWriter.java:81)
at com.vaadin.server.communication.UidlWriter.write(UidlWriter.java:163)
at com.vaadin.server.communication.UidlRequestHandler.writeUidl(UidlRequestHandler.java:149)
at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:97)
at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:37)
at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1382)
at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)

Thanks,
Brian

Marius14 · February 11, 2014, 9:52am

Looking at your code this can’t work even if i don’t know where the exception is acutally thrown.
You’re leaving the User on a page which is associated to a Session which doesn’t exist anymore. This way every kind of interaction with said page will cause a SessionExpired Notification and/or a Server-Side exception.
A better way to do it would be to:

Automatically reload the application/page to get the user back to the Login
Root the User to another page/application
do something else which doesn’t cause the user to end up on a page he doesn’t have a session for.

You could do that like this:
Redirect the User to another page (for example like this: getUI().getPage().setLocation(“/myapp/logoutpage.html”) or jsp as suggested above)
and in the next line you invalidate the session.

Brian_S · February 11, 2014, 10:05am

Marius Reinwald:

Looking at your code this can’t work even if i don’t know where the exception is acutally thrown.
You’re leaving the User on a page which is associated to a Session which doesn’t exist anymore. This way every kind of interaction with said page will cause a SessionExpired Notification and/or a Server-Side exception.
A better way to do it would be to:

Automatically reload the application/page to get the user back to the Login

Root the User to another page/application

do something else which doesn’t cause the user to end up on a page he doesn’t have a session for.

You could do that like this:
Redirect the User to another page (for example like this: getUI().getPage().setLocation(“/myapp/logoutpage.html”) or jsp as suggested above)
and in the next line you invalidate the session.

Hi, the idea is this is the page the user sees when they are logged off from the application and the session is destroyed. My original question is where I should be invalidating the session. The user’s HttpSession should be invalidated when seeing this page.

Regards,
Brian

Marius14 · February 11, 2014, 10:21am

The problem is that your user can’t really do anything on that site other than getting a SessionExpired, or other exception.
It’s like you’re sitting your user in front of a Computer with a Keyboard, a Mouse and a Monitor and then you take the Computer and just leave him with the Keyboard, Mouse and Monitor.
I would suggest either rooting the user to a new Session/another application/html page/jsp or keeping the sesssion valid for a bit longer until the user finally left the application/session (for example using heartbeat).

Also, why are you invalidating the underlying/wrapped session and not the top Vaadin one?
I’m also not sure if the enter method is a good place for that as i 1, don’t know exactly if it is called after the constructor and 2, i know that there was (or still is?) a problem where this method was called twice.

Brian_S · February 11, 2014, 11:34am

Marius Reinwald:

The problem is that your user can’t really do anything on that site other than getting a SessionExpired, or other exception.
It’s like you’re sitting your user in front of a Computer with a Keyboard, a Mouse and a Monitor and then you take the Computer and just leave him with the Keyboard, Mouse and Monitor.
I would suggest either rooting the user to a new Session/another application/html page/jsp or keeping the sesssion valid for a bit longer until the user finally left the application/session (for example using heartbeat).

Also, why are you invalidating the underlying/wrapped session and not the top Vaadin one?
I’m also not sure if the enter method is a good place for that as i 1, don’t know exactly if it is called after the constructor and 2, i know that there was (or still is?) a problem where this method was called twice.

Hi, Thanks for the information. The reason I am invalidating the HttpSession is that this is a High Available environment where the session is stored using replication to other App Servers in case one of the App Servers is unavailble. I will have to use a Servlet/JSP to do proper invalidation.

Thanks again,
Brian

ikhlas · September 29, 2020, 11:24am

Brian S Paskin:
Krishna Phani Kumar: Hello Brian,

I have tried some thing like this and it worked -
VaadinSession vSession = VaadinSession.getCurrent();
 WrappedSession httpSession = vSession.getSession();
//Invalidate HttpSession
 httpSession.invalidate();
//Redirect the user to the login/default Page
 Page.getCurrent().setLocation("/MyApp");
Hope this helps you. Please let me know if require any additional info. I have embedded this code in my logout button click listener.

Thanks,
Krishna.
Hi, thanks for the info, but I am still receiving a NPE on the clickListener when invalidating the session. I was trying to avoid having external JSPs, but I may have to use them to invalidate the session.

Regards,
Brian

Hi , i have problem in logout – it dose not work - dose i have to do something extra in vaadin 17 ___ sometime i got this error java.lang.IllegalStateException: isNew: Session already invalidated

ikhlas · September 29, 2020, 1:10pm

Brian S Paskin:
Krishna Phani Kumar: Hello Brian,

I have tried some thing like this and it worked -
VaadinSession vSession = VaadinSession.getCurrent();
 WrappedSession httpSession = vSession.getSession();
//Invalidate HttpSession
 httpSession.invalidate();
//Redirect the user to the login/default Page
 Page.getCurrent().setLocation("/MyApp");
Hope this helps you. Please let me know if require any additional info. I have embedded this code in my logout button click listener.

Thanks,
Krishna.
Hi, thanks for the info, but I am still receiving a NPE on the clickListener when invalidating the session. I was trying to avoid having external JSPs, but I may have to use them to invalidate the session.

Regards,
Brian

Hi , i have problem in logout – it dose not work - dose i have to do something extra in vaadin 17 ___ sometime i got this error java.lang.IllegalStateException: isNew: Session already invalidated