How to logout session using invalidate() in servlet [duplicate]

Question

This question already has answers here:

Prevent user from seeing previously visited secured page after logout (7 answers)

Closed 7 years ago.

protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
    {
        HttpSession session = request.getSession();
        if(session != null)
        {
            try
            {
                response.setHeader("Cache-Control","no-cache"); //Forces caches to obtain a new copy of the page from the origin server
                response.setHeader("Cache-Control","no-store"); //Directs caches not to store the page under any circumstance
                response.setDateHeader("Expires", 0); //Causes the proxy cache to see the page as "stale"
                response.setHeader("Pragma","no-cache"); //HTTP 1.0 backward compatibility
                session.setAttribute("admin_name",null);
                session.invalidate();
                response.sendRedirect("login.jsp");
            }
            catch(Exception e)
            {
                System.out.println(e.getMessage());
                System.out.println(e);
            }

        }
        else
        {


        }
    }

This is my servlet. I am going to logout the session that i created using name admin_name. when i logout the session it successfully hit the login page. but when i press back button it go to the previous page. I didn't understood why these happen even if i invalidate that session. but when i refresh that page it will again hit the login page.

Here the code that i used in jsp page.

<%
        String name = null;
        if (session.getAttribute("admin_name") == null) {
            response.sendRedirect("login.jsp");
        } else {
            name = (String) session.getAttribute("admin_name");
        }
    %>

Answer 1

Session is invalidated immediately once you call .invalidate method

From docs ,

invalidate

void invalidate()
Invalidates this session then unbinds any objects bound to it.

From your question

I didn't understood why these happen even if i invalidate that session. 

but when i refresh that page it will again hit the login page.

It is because the page is loaded from the browser cache , even if it goes to the previous page you can't send any request from the page loaded

Update

Check this How to clear browser cache using java

Hope this helps!!

Answer 2

In this case you have successfully expired your session. This is the facility in your browser that when ever you click back button, it shows catched copy of webpage. So if you click refresh page, you will not see that page again. In this case your web page will not be processed because session has expired and will go to login page again.