Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

j_security_check

  • 17-08-2006 4:32pm
    #1
    Registered Users, Registered Users 2 Posts: 378 ✭✭


    When a user changes their password I am logging them out using the following...
    request.getSession().invalidate();
    

    After this they are returned to the login page, what is weird is they are able to login with their old password. If they subsequently try to login with their new password this also works but now the old password is invalid.

    I know this must have something to do with j_password still being in memory for this session.

    Has anyone seen this before or have a solution?


Comments

  • Closed Accounts Posts: 25 dan_pretty_boy


    Hi sicruise

    Print out whats on the request object before u change the password and after
    you change the password. I dont think the j_password gets stored in the session.


    danny


  • Registered Users, Registered Users 2 Posts: 378 ✭✭sicruise


    Hi Dan,

    When i use
    request.getSession().getAttributeNames().nextElement();
    

    after
    request.getSession().invalidate();
    

    is called. There is nothing in the sesssion.

    This is as expected. But the old password is still valid when the session is cleared... your right that j_password is not kept in the session. But i had a user.password that was and i was getting a bit confused with that.

    Any idea's...?

    Si


  • Registered Users, Registered Users 2 Posts: 597 ✭✭✭bambam


    What Web Container are you using?
    Perhaps the security credentials are cached, e.g. LTPA timeout in WebSphere.


  • Registered Users, Registered Users 2 Posts: 378 ✭✭sicruise


    I'm using JBoss 4.0.2, should the request.getSession().invalidate(); not delete this cache?


  • Registered Users, Registered Users 2 Posts: 128 ✭✭Grand_Izer


    Invalidating the session won't necessarily flush the user's credentials from the authentication cache. The link below goes into a bit more detail on how to flush the cache either manually or on session invalidation.

    http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 378 ✭✭sicruise


    Thanks for pointing me in the right direction...

    I turned off the caching feature and it is working fine now.


Advertisement