after logout click on back button cache issue

Question

<%
    response.setHeader(\"Cache-Control\",\"no-cache,no-store,must-revalidate\");//HTTP 1.1
    response.setHeader(\"Pragma\",\"no-cache\"); //HTTP 1.0
    resp         


        

Answer 1

Create a session attribute let's say "valid" and initialize it with any value other then null in the jsp, just after the login credentials were matched. Now create a verify.jsp with the following code:

<%
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
if(session.getAttribute("valid")==null)
{
    out.println("<script>parent.location.href='login.jsp'</script>");
}
%>

Now simply include this jsp file on each jsp page and its done. Do not forget to write "session.invalidate();" in logout.jsp

Hope it will work..!!!

Answer 2

I am including this in all my jsps inside body tag

This might be too late when the HTTP response is already committed at that point. A HTTP response will be committed when an X amount of characters are already been written to it, which will in your case be the HTML <head>. You need to put those lines in the very top of the JSP file, not in the <body> of the HTML representation.

---

On an unrelated note, you're making a huge design mistake by copypasting the same lines of code over multiple files. This is not DRY. Whenever you need to copypaste code, you should always stop and ask yourself if there isn't a single place to execute the particular code. In your particular case, you should have used a Filter instead. For a concrete example, see also this answer: Prevent user from seeing previously visited secured page after logout. Also, writing Java code in JSPs is a bad practice. Check How to avoid Java code in JSP files?

Also, your logout method is strange. Don't store the username in some custom cookie. You're basically reinventing the session. Just store the logged-in user as a session attribute instead and invalidate the entire session and send a redirect.

request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/home.jsp");

For background information on working of session, read this: How do servlets work? Instantiation, sessions, shared variables and multithreading

Answer 3

If you are using the back button from the browser, there is nothing you can do. The page will always come from the cache.

Just make sure you invalidate the session when the user clicks logout. That way when the user hits 'back' and tries to use the page he will be redirected to the login page (If your site is programmed correctly).

[EDIT]

Here is the header we put to have no cache for http 1.1 :

httpResponse.setHeader("Cache-Control", "private,no-store,no-cache");

Answer 4

Have you tried response.setHeader("Cache-control","no-store"); response.setHeader("Pragma","no-cache"); response.setDateHeader("Expires", -1);? I think your missing the quotes at the right place..