Summary :I have developed a login system in web application (using java,jsp & javascript).
Required Functionality :
Not allow user to login in to system from two different tabs of same browser at same time. If any user tries error msg "user already logged in".
Issue: Step 1) When i try to login from other/2nd tab error msg is displayed (as expected) and redirected to login page again. Step 2) Then i logout from first tab, at the backend i remove all session variables created. Step 3) Then when i try to login from other/2nd tab login page, it is observed that i get session variables again, expected to get empty or null variables(as i already removed them at backend in logout request).
Expected : Should not get session variables again for 2nd tab login.
Sessions are by IP and User-agent (i.e. browser). So you can't prevent multiple tabs in the same browser. Nor should you want to. If you need to do this its because you have a major flaw in your design. If you're just looking for a way to test yourself as two users, login in Chrome as one user and in Firefox as another.
Your problem with still being able to get to a page after logging out is apparently that you don't have anything like this to prevent unathenticated users from getting in:
Similarly on the login page, if the user is already logged in:
That way a user who is already logged in cannot fill out the login form again without logging out first.
It can also be a caching issue. If you allow the browser to cache protected pages, then after a user logs out, if they go to the page again they may see the page because it was cached. So, set no-cache headers: