Discussions

Web tier: servlets, JSP, Web frameworks: After logout Enforce reloading of page when back-button pressed

  1. It would be easy for me to put my problem this way:
    Suppose, I am allowed to change the serverside logout functionality so that after login out from server side, the user is not able to see any of those pages that he has already visited during his logged in session.If he tries to do so by pressing browser Back button, he shoud be directed to login page.To reproduce it, login to serverside and click on MyProfile.Don't make any change on your profile page instead click Logout, Now on next screen press browser back button. You are able to see your profile though you have already logged out. However, If you try to update your profile from here, you are asked to re login (that works with my application too). This may not be critical here(on serverside) but on sites where finicial transactions are performed, it is a potential security issue.Even Hotmail and Yahoo don't allow you to see any such information once you logged out.

    I am using jsp,servlet and tomcat and DON'T WANT TO DISABLE BACK BUTTON FUNCTIONALITY WHEN USER ALREADY LOGGED IN, AFTER ALL IT ENABLES USER NAVIGATION EASY WITHOUT MY PROVIDING ANY BACK BUTTON FEATURE ON MY JSP PAGE.

    Please suggest.
  2. This problem is simpler than you think. It is not a login problem, it is an anti-caching problem.

    Configure your application to send anti-caching instructions to the browser to prevent your pages from being cached in browser memory. This way, when the user clicks the "back" button, the browser will be forced to invoke the server rather than displaying the cached page. The relevant instructions are:

    response.setHeader("Cache-Control", "no-cache");
    response.setHeader("Pragma", "no-cache");
    response.setDateHeader("Expires", 0);

    Assuming you have security configured correctly, when the browser invokes the server's page, they should be redirected to the login page, since the user is no longer authenticated.
  3. Thanxs for your prompt reply.

    I was aware of this solution that makes my page always invisible even when user is logged in. I have clearly metioned in my post that i want my LOGGED IN user to user browser back button as normal. But once he choosed to log out, he is not allow to see any of his/others contents by pressing Back.
  4. The solution I suggested should still work for the logged in user, because the page request will be sent to the server, the user will be authenticated (and therefore NOT redirected to the login page) and the page should rendered normally.
  5. Well, when logged in user press back button he is also shown the warning message (page expired..)and only when he choose to "Refresh" the page, a new request is sent to the server and he is responded normally because he is authenticated on the server. My problem is that he is not shown any WARNING since he is logged in currently. Warning should be shown to already logged out users only.
  6. Hmmm. I am betting that the page in question is one that you have targeted via an HTML form using the POST method. If that is the case, there is no pretty solution to your problem.

    Some things the might work:

    1. Change the form to use the GET method.

    2. Split up your processing logic into two parts: update and display. Have your form target an update component (servlet or JSP) which performs and necessary system updates,. When the update component is finished, have it perform a client-side redirection [response.sendRedirect()] to a display page which displays the results. The client-side redirect is effectively an HTTP GET method, so this should resolve the problem.

    Solution (1) is quick and dirty, but may be good enough. Solution (2) is better in the long run, but may require a significant redesign of your application.
  7. Please assist[ Go to top ]

    I have exactly the same problem you had but my site is in ASP.
    After log out, i donot want to let user see the content of restricted area by using browser back button.

    Which appraoch you used to solove it ?

    I will really appreatiate if you assist me.

    Thanks

    Mac
    amHere786@yahoo.com
  8. See this article
    http://www.javaworld.com/javaworld/jw-09-2004/jw-0927-logout.html
  9. Please check if it will help... In body tag, onunload event call javascript function.... ... <script language="Javascript"> function unload_logout() { location.replace("/application/login.jsp"); return "This session is expired.. Please try again"; } </script> ...