Hi Buddies,
   Fine and wish U the same.
   I 'm developing an application for which I 've to provide login and logout pages. My query is: after logging out from an application, if V press 'Back' button, it should not take back to the secured pages again. V 've to process the request again as new process. But, I don't know how to do so. If anyone could give me the solution for this, that 'ld be really, really great!
   Thanx a lot in advance for the help done!

Cheers,
Siva
(vksiva at email dot com)

Hi,
   put some value in session variable in login page, and check the value in every jsp. In logout page, make the session to be invalidate . In jsp pages, if that session value is not validated means redirect to the login.jsp .


eg:
login.jsp
  session.setAttribute("validsession" ,"yes");

In all jsps,
 the starting condition will be:
   if(!(session.getAttribute("validsession").equals("yes")))
     response.sendRedirect("path../login.jsp");

logout.jsp
   session.invalidate();

I hope this may help U.
Usha.

I think you are invalidating the session for log out. Even though you invalidate the session , it is still there until garbage colleted, but values stored in the session won't be there in the session after invalidation. So what you can do in your jsp pages is check for some variable value stored in the session. Assume that you stored userid in the session after user login successfully, after logout if you check value of userid in the session, it will be null.

 userid = session.getAttribute("userid");

 if ( userid == null )
   response.sendRedirect("/login-page.jsp");

Hope this will help you.

As far as I was aware, invalidating the session detaches it from both the cookie the browser sends, and the rewritten URL with the ID in it. It shouldn't matter if it's been garbage collected or not. If you invalidated it then it should be gone.

Hence...

<%
HttpSession sess = request.getSession(false); // Don't create session if not exists.

if (null==sess) {
  response.sendRedirect("/login.jsp");
}
%>
...should work. Stuff that in an include file that all your JSPs in the "secure" are include at their very beginning.

Chz

Tony

Hi Guys,
   I 've tried all the methods U 've told but ended up in vain. Like, if I use 'setAttribute' method, then I 'm getting an error saying 'setAttribute method not available'. If I use
<%
HttpSession sess = request.getSession(false); // Don't create session if not exists.

if (null==sess) {
  response.sendRedirect("/login.jsp");
}
%>

I 'm not getting any errors, but after logging out, it goes back to the previous page if back button in the browser is pressed...
I 'm extremely delighted for U'r reply. If U could give me some more detailed help, then I would be really grateful to U guys...
Thanx a lot in advance for the help done!

Chrs,
-Siva

Are you sure the browser isn't cacheing that page? Try hitting refresh after you hit back.

If the browser is caching the page then stick the no-cache directive at the start of all your dynamic pages so it doesn't.

Chz

Tony

Hi Tony,
   It's really very nice to get a immediate response from U. Thanx a lot for U'r help.
   I 've tried adding the foll code at the very beginning of all the pages.
 response.setHeader("Cache-Control", "no-store, no-cache");
 response.setHeader("Pragma", "no-cache");

Now, after logging out, if I press 'Back' button, I 'm getting an error page saying 'Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh button. '

Once I press 'Refresh' button from the browser, it again takes me to the secured page...
If I could get some more help from U, it 'ld be really really great as it's slightly urgent!!! Thanx a lot in advance for the help done!
Cheers,
Siva

Could you put some simple System.out.println statments in your secured page that print out the session. Put statements inside the if (null==sess) statment and the else part to see which part of the code gets run. Also, turn on warnings in IE when servers try to set cookies.

Let me know when the browser asks for cookies, and what the page says the session is (It'll probably just give you a memory pointer address, but that's OK. If the VM hasn't restarted then the address will be the same for the same session and different for another one.

From there we can deduce what the problem is.

Chz

Tony

Hi Tony,
   Thanx a lot for U'r reply.
   I don't think so there's some problem with the code. It's working fine in Netscape4.5. But, it's not working in IE5.5 I was told that the same code works in IE5.0 and netscape4.7. I don't know what's up the IE5.5.
   As U said, I 've tried putting some 'System.out...' statements in the if else loops. It's returning correct values like, session is null after logging out.
   I couldn't understand onething: Y it's not working in IE5.5 as it's working in Netscape4.5, 4.7 & IE5.0. B'coz, I was struggling with this problem for the past 7-10 days...
   Anyway, if U could come up with some sols for this, that 'ld be really really great!!! Thanx a lot, Tony!
Chrs,
Siva

OK, next test.

After logging out, close the browser and restart it. Does it then force you to log in?

Sounds like a dumb question I know, but just give it a try and let me know what happens.

Chz

Tony

Hi,
   It's working fine in Netscape4.5. I was told that it should work in Netscpae4.7 but I 'ven't tested by myself; so I 'm not sure. In the same time, it's not working in both IE5.5 when i tested in my m/c. And, when i tested in my friend's m/c in IE5.0, eventhen, it's not working. So, it's working fine in netscpae and NOT in IE. Friend of mine told me that he faced the same type of probs some time ago in his project and told me that V 've to attach some patches or s/w getting from Sun to make this work. So, as I don't 've any other options, I 've a plan of sending a mail to Sun ask for a help... Let me see whether it works atleast after that.
   Anyway, thanx for U'r great help, Tony!
Chrs,
Siva

I'm having a similar problem and I wonder if you found a solution. I too am passing information from jsp to jsp. When the user hits the log off button and then the browser's "back" button, they would go to a secure page (cached). Putting:

<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", -1); //prevents caching at the proxy server
%>

in the jsp's now gives me a "page expired" error. How can I better present this?