Sessions in Servlets

Hi,

My lib project is almost completed.....Implemented it in servlets.......thanks for the advice
Now I need to use sessions......
because after log out ....if they press browser back button it is still taking them to their profile.........which is completely wrong
I used the jsp code
<script language="JavaScript">
javascript:window.history.forward(1);
</script>
to prevent browser back button from going back to log on page after logging in........
but as I told you before, after log out it is still going back to their profile.........
How should I use Http Session.......?

Try setting your profile page cache headers to an old date so when they try to go back, the page will have expired.

Are you invalidating the session correctly upon logout? If so, are you correctly checking for valid sessions within your app throughout navigation in your JSPs?

I believe if both answers are "yes", then you will need to rely on javascript or browser settings.. the user will not be able to do anything because you click on something after hitting the back button on the browser, the server will throw an error and send the user to a designated page (Usually main login screen)

This has nothing to do with sessions, but with caching.

Hi Rahul,

You can also add javascript:history.forward() in your logout page which will prevent the IE back button working.


-Sujata

Which is a trick no self-respecting web developer would use, and which is easily defeated, thereby offering no added security.

Adding tricks on top of securities is . If someone reads carefully i wrote "you can also add........"

-Sujata

No. Using easily defeated tricks and pretending that they add security is just self-deception.

Ha ha...no one would pretend history.forward() adds security in the application!!

-Sujata

Then what is your point?

who had posted this query should have read the other two replies..

-> invalidating cache
-> invalidating session in logout

so i meant in addition to this you can also add......history.foreward()

hope its clear now

-Sujata

If it adds no extra security, I fail to see why anyone would add this. But to each...

As you wrote/i agreed it does not add any security its just a trick to make the user hard to navigate back.

-Sujata

Just a feature which annoys the user but has no practical purpose, then?

From my experience, there was a scenario

-> where the user submits a page lets say from SubmittingPage and click back button and can again submit but we wanted to avoid re-submit
-> we cant invalidate/expire the cache as SubmittingPage can be accesed from another page and should populate the previously keyed in values.

there might be some other ways to implement(may be using onr-time token) but we found implemneting history.forward is more convinient at that point of time.

in this case how can i say there is no practical purpose??

-Sujata.

Sure, I suppose there might be a few cases where it's necessary to prevent the user from going back (even though it's not actually possible to do that). But the vast majority of the time when people want to do that, it's because they haven't figured out the right way to prevent the actual problem. I'm in favour of fixing the actual problem rather than installing a cheap hack which doesn't work reliably.

i agree with bear ...

you should check on the caching part though ...

and make sure you have invalidated the session upon logout ...

if so, and the user clicks the browser back button, then check for proper credentials before allowing the user to go back ... or otherwise just show an error page

Paul - Could you please share your thought(s) how to resolve this kind of problem(other than one-time token).I will definitely rethink to implement your solution/a feasible solution !!


-Sujata.