logout problem

Hi all, I have this weird problem.

After logging out from the page, and then I clicked the back button. It retrieves the previous page from cache. I have no complaints on that cause now the application is still in logoff status. But when i press the refresh/reload button a box come out with
"The page cannot be refresh without resending informtion. Click retry to resend info."
When i click retry i am automatically log back in and can go anywhere in the application. So how does one solve this problem?

what mechanism you are using to log out the user?
As you described it seems that you are sending some information through html fields to the logout page.

At the logout page i done the following

HttpSession ses = request.getSession(true);
String pwd = (String)ses.getAttribute("userpwd");
String id = (String)ses.getAttribute("userid");
if (pwd!=null && id!=null){
ses.removeAttribute("userpwd");
ses.removeAttribute("userid");
}

what is the problem?

You should try a session.invalidate().

yeah i put invalidate but the problem still persist. Should i put code to clear the cache? or is this problem have to do with browsers only. Thanks

ses.removeAttribute("userpwd");
ses.removeAttribute("userid");
ses.invalidate();

Two possible solutions:

use response header directives to prevent caching

use a session attribute to check if the current user is a valid user

Of course, if you are concerned about unauthorized users accessing the page, preventing caching will not solve this problem. Use the session attribute to control access to your pages. So for instance, on each page, if the session attribute is null, this would mean the user has not followed the proper procedure of login, so you deny them access. Once a user has logged in successfully, you set the session attribute to some meaningful value (anything really, just so it's not null). And finally, as Gert stated, you should call session.invalidate() once the user logs out. This will clear the session attributes and therefore, if the user hits the back button, the session attribute will be null and hence the user will be denied access.

You can also use Filter Servlet to do that. See FilterServlet for detail.

I think my problem could be due to frames. My page have 2 frames. When i logout the menu frame directed the main frame to go to logout but menu frame still remains and have not logout. So how can I solve this? Both my frames check whether got session.

Thanks

I think my problem now is logging off at 2 frames at once. One on the frame menu and the other the main menu. Anyone has this problem b4 or experience this situation? Thanks

To prevent the caching of your JSP's, add the following code
<%
response.setHeader("Cache-Control","no-cache");
response.setHeader("Expires", "0");
response.setHeader("Pragma", "No-cache");
response.addHeader("Cache-control", "no-store"); // tell proxy not to cache
response.addHeader("Cache-control", "max-age=0"); // stale right away
%>