j_security_check

sicruise · 17-08-2006 5:32pm #1

When a user changes their password I am logging them out using the following...

request.getSession().invalidate();

After this they are returned to the login page, what is weird is they are able to login with their old password. If they subsequently try to login with their new password this also works but now the old password is invalid.

I know this must have something to do with j_password still being in memory for this session.

Has anyone seen this before or have a solution?

dan_pretty_boy · 17-08-2006 7:17pm

Hi sicruise

Print out whats on the request object before u change the password and after
you change the password. I dont think the j_password gets stored in the session.

danny

sicruise · 18-08-2006 11:03am

Hi Dan,

When i use

request.getSession().getAttributeNames().nextElement();

after

request.getSession().invalidate();

is called. There is nothing in the sesssion.

This is as expected. But the old password is still valid when the session is cleared... your right that j_password is not kept in the session. But i had a user.password that was and i was getting a bit confused with that.

Any idea's...?

Si

bambam · 18-08-2006 1:41pm

What Web Container are you using?
Perhaps the security credentials are cached, e.g. LTPA timeout in WebSphere.

sicruise · 18-08-2006 3:03pm

I'm using JBoss 4.0.2, should the request.getSession().invalidate(); not delete this cache?

Grand_Izer · 22-08-2006 2:20pm

Invalidating the session won't necessarily flush the user's credentials from the authentication cache. The link below goes into a bit more detail on how to flush the cache either manually or on session invalidation.

http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials

sicruise · 24-08-2006 7:45pm

Thanks for pointing me in the right direction...

I turned off the caching feature and it is working fine now.

j_security_check

Comments