Creating logout such that no back action takes place in JSP
https://stackoverflow.com/questions/9792820
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to create a logout action in JSPs such that there is no back action. Presently, I am using session.invalidate method to kill my existing session and directing to login page.
But that doesn't prevent the page getting loaded if the user presses the back button. After searching I came to know that something like SSL is used for that purpose. Can anyone tell me what is SSL(other than it's full-form :) (Secure Socket Layer) )? How is it used?
Other than that, after much searching I found this code
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
I am keeping this code in beginning of body tag, but it is not working. What could be the error? I even tried with "no-store" in place of "no-cache"? Can anyone help me what more change or where should I keep that particular code? Other than this, is anyone having another solution?
Thanks in advance.
Solution
The Cache-Control header is incomplete. It must also contain no-store and must-revalidate.
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
See also:
Please note that those headers needs to be set on every request which requires a login. Much easier is to have a single servlet filter for that so that you don't need to copypaste the same piece of code over all JSP pages. The abovementioned link contains a concrete example. You can do that in the very same filter as where you're checking the logged-in user, if you have any. Writing Java code inside a JSP file is a poor practice anyway.
SSL (read: HTTPS instead of HTTP) is only useful to prevent man-in-the-middle attacks wherein the entire HTTP traffic is been captured and read by some malicious proxy, router, virus or something in the middle of the network traffic. Any potentially sensitive information such as submitted login data and the retrieved response are then visible as plaintext to the attacker. SSL will encrypt this traffic so that it's unreadable to the attacker. It does nothing with regard to caching and authentication. SSL is to be configured at server level, not at webapp level. Read the server documentation for details. E.g. Tomcat 7.0 SSL HOW-TO for Tomcat 7.0.x.
