Disable browsers back button if the session is invalidated [duplicate]

Question

This question already has answers here:

Prevent user from seeing previously visited secured page after logout (7 answers)

Closed 7 years ago.

I'm working on JSP. I know there are many posts regarding this topic but nothing is working for me. I have a login page which leads to a welcome page. The session is invalidated when the user clicks on logout and is then redirected to the login page. But if the user clicks the browsers back button he is again taken to the welcome page, although if he presses any other button or refreshes the page he will be taken to the login page because the session has expired. But I don't want the user to be able to access the welcome page by clicking the browsers back button once he's logged out. I tried using the following:

<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />

but it's not working.

I tried using:

window.history.forward(1);

it works fine, but it leads to another problem. If the user logs in and is taken to the welcome page. then the user presses a button let's say "show user details" and the user is taken to the "show user details" page. now if the user clicks the back button to go back to the welcome page. He stays on the same "show user details" page, because of the window.history.forward(1) on the welcome page.

I want that the user should be able to use the browsers back button if the session is valid. If the session is invalid he should not be able to use the browsers back button.

Answer 1

This is working perfectly. i used the following to clear the cache. and i'm invalidating the session in logout.jsp, when clicked, it checks for some token attribute (which is set when the user logs in), and if it doesn't find it, it redirects to the login page.

<%

response.setHeader("Cache-Control","no-cache");
response.setHeader("Cache-Control","no-store");
response.setHeader("Pragma","no-cache");
response.setDateHeader ("Expires", 0);
    if(session.getAttribute("token")==null){
    response.sendRedirect(request.getContextPath() + "/LogOut.jsp");

}
%>

thanks for the suggestion though. I will certainly put it into action. every help and suggestion is appreciated.

Answer 2

You can disable the back button on the logout page. so that user can't go back once he clicked on logout. Add this script to the page ,

<SCRIPT type="text/javascript">
    window.history.forward();
    function noBack() { window.history.forward(); }
</SCRIPT>

And also in your jsp ,

   <BODY onload="noBack();"
    onpageshow="if (event.persisted) noBack();" onunload="">

Another suggestion is dont blindly redirect the user to the login page if session gets expired . simply have a link to login in your logout page

Hope this helps !!

Answer 3

Try this code

Add this class "NoCacheFilter " in your project

 @WebFilter(servletNames = { "Faces Servlet" })
 public class NoCacheFilter implements Filter {

/**
 * doFilter Method.
 * <p>
 * 
 * <pre>
 * 
 * </pre>
 * 
 * </p>
 * @param request
 * @param response
 * @param chain
 * @throws IOException
 * @throws ServletException
 */
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
        ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;

    if (!req.getRequestURI().startsWith(req.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) {                                                                                                            

        res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
        res.setHeader("Pragma", "no-cache");
        res.setDateHeader("Expires", 0);
    }

    chain.doFilter(request, response);
}

/**
 * Initial Method.
 * <p>
 * 
 * <pre>
 * 
 * </pre>
 * 
 * </p>
 * @param filterConfig
 * @throws ServletException
 */
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

/**
 * Destroy Method.
 * <p>
 * 
 * <pre>
 * 
 * </pre>
 * 
 * </p>
 */
@Override
public void destroy() {
}
}

https://eclipse.googlesource.com/eclipselink/examples/mysports/+/b37750abf978fc8daee30ef4c214cf88857371b3/admin.web/src/main/java/eclipselink/example/mysports/admin/jsf/NoCacheFilter.java