Why does Spring Security go to last page before logout when I log out and log back in?

Question

I have a web application running on Spring Webflow with Spring Security. I have a problem logging out because my app kinda remembers the last page after logging out. When I press back or directly paste the URL to the address bar it can direct the page to the login page, but if I login it will go directly to the last page I went to before logging out. It tends to remember its last state. Below is my application-config snippet.

    <security:logout logout-url="/logout.do" invalidate-session="true" 
        logout-success-url="/logoutSuccess.do" />

Link in my page

      <a href="logout.do">#{label.labellogout}</a>

Answer 1

The expired-url attribute

The URL a user will be redirected to if they attempt to use a session which has been "expired" by the concurrent session controller because the user has exceeded the number of allowed sessions and has logged in again elsewhere. Should be set unless exception-if-maximum-exceeded is set. If no value is supplied, an expiry message will just be written directly back to the response.

Sounds like your session is still valid after an Logout. try to make it invalid after logout.

Text is from: Spring Doc

Answer 2

Not sure that I correctly understand your problem but:

B.1.1.4. session-fixation-protection Indicates whether an existing session should be invalidated when a user authenticates and a new session started. If set to "none" no change will be made. "newSession" will create a new empty session. "migrateSession" will create a new session and copy the session attributes to the new session. Defaults to "migrateSession". If enabled this will add a SessionFixationProtectionFilter to the stack. The session fixation protection options on namespace-created instances of AbstractProcessingFilter will also be set appropriately.

Can be read here link