Disable browsers back button if the session is invalidated [duplicate]

Answer 1

This is working perfectly. i used the following to clear the cache. and i'm invalidating the session in logout.jsp, when clicked, it checks for some token attribute (which is set when the user logs in), and if it doesn't find it, it redirects to the login page.

<%

response.setHeader("Cache-Control","no-cache");
response.setHeader("Cache-Control","no-store");
response.setHeader("Pragma","no-cache");
response.setDateHeader ("Expires", 0);
    if(session.getAttribute("token")==null){
    response.sendRedirect(request.getContextPath() + "/LogOut.jsp");

}
%>

thanks for the suggestion though. I will certainly put it into action. every help and suggestion is appreciated.

Answer 2

You can disable the back button on the logout page. so that user can't go back once he clicked on logout. Add this script to the page ,

<SCRIPT type="text/javascript">
    window.history.forward();
    function noBack() { window.history.forward(); }
</SCRIPT>

And also in your jsp ,

   <BODY onload="noBack();"
    onpageshow="if (event.persisted) noBack();" onunload="">

Another suggestion is dont blindly redirect the user to the login page if session gets expired . simply have a link to login in your logout page

Hope this helps !!

Answer 3

Try this code

Add this class "NoCacheFilter " in your project

 @WebFilter(servletNames = { "Faces Servlet" })
 public class NoCacheFilter implements Filter {

/**
 * doFilter Method.
 * <p>
 * 
 * <pre>
 * 
 * </pre>
 * 
 * </p>
 * @param request
 * @param response
 * @param chain
 * @throws IOException
 * @throws ServletException
 */
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
        ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;

    if (!req.getRequestURI().startsWith(req.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) {                                                                                                            

        res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
        res.setHeader("Pragma", "no-cache");
        res.setDateHeader("Expires", 0);
    }

    chain.doFilter(request, response);
}

/**
 * Initial Method.
 * <p>
 * 
 * <pre>
 * 
 * </pre>
 * 
 * </p>
 * @param filterConfig
 * @throws ServletException
 */
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

/**
 * Destroy Method.
 * <p>
 * 
 * <pre>
 * 
 * </pre>
 * 
 * </p>
 */
@Override
public void destroy() {
}
}

https://eclipse.googlesource.com/eclipselink/examples/mysports/+/b37750abf978fc8daee30ef4c214cf88857371b3/admin.web/src/main/java/eclipselink/example/mysports/admin/jsf/NoCacheFilter.java