How to properly invalidate JSP session?

后端未结

关注

 3  671

名媛妹妹 2021-02-02 02:40

So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not

3条回答

离开以前 (楼主)

2021-02-02 03:14
All my JSP's have no-cache headers (via @include directives). I have a logout.jsp in the root of the app with the following lines:
```
HttpSession sessIfAny = request.getSession(false);
if (sessIfAny != null) sessIfAny.invalidate();
```
This prevents creating unnecessary sessions.

The web.xml needs to exempt logout.jsp from authentication:
```
    
        excepted
        /logout.jsp
        /favicon.ico
        
    
    
```
This prevents a login page being shown to do a logout on an expired session.
0 讨论(0)

查看其它3个回答
发布评论:

提交评论
- 加载中...