servlet session , after logout , when back button of browser is pressed , again the secure page is shown [duplicate]

后端未结

关注

 1  1787

闹比i

相关标签:

1条回答

栀梦

2020-12-28 11:23

Your filter is setting the no-cache headers on the welcome.html only, not on the restricted pages. So whenever the browser requests any of those restricted pages via back button, it will likely show up the cached version. Your filter needs to set the no-cache headers on all restricted pages.

So, you need to change

    if (session == null || session.getAttribute("username") == null) {
        response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        response.setDateHeader("Expires", 0);
    } else {
        chain.doFilter(req, res);  
    }

    if (session == null || session.getAttribute("username") == null) {
        response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
    } else {
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        response.setDateHeader("Expires", 0);
        chain.doFilter(req, res);  
    }

0 讨论(0)

热议问题