File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

problem without logout, how to solve it

 
Cathy Cruise
Greenhorn
Posts: 25
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am right now stuck. Supposed a user login to my site, and that user didn't press "logout" but pressed the browser's back button, until he reached back to the login page again. Then he supposed to relogin again. HOwever, I find out that if i press "forward" button from the browsers. Somehow, it will still able to get into the site with the previous login name.

I used session.removeAttribute("login"), session.invalidate(); and response.setHeader("Cache-Control", "no-cache"), response.setDateHeader("Expires", -1), and response.setHeader("Pragma","no-cache") already, but still doesn't work. How come? What's the problem here, and how can I solve it?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33697
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cathy,
So you are trying to prevent browser caching? Unfortunately, this is quite browser dependent. Do you know which browsers you need to support? It also depends on whether you are using http or https.

These articles for IE and Netscape are pretty good. Keep in mind that Netscape 4.7 and Netscape 6/7 work differently as they are essential different browsers.
 
Sundar Gopal
Greenhorn
Posts: 17
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
you can also do like this. put an object in the user session.... lets say username when he logon to the system and check for that object username in the following jsp pages in the session. like this
<html>
<head></head>
<% String userName = session.getAttribute("username");

if(userName == null || some other condition you have to check....){
response.sendRedirect("Login.jsp");}
else{
%>
<body>

all the presentation goes here......


</body>
<% } %> // this brace is for the above else..
</html>

if the user has logged out or if the session expires the session attribute is lost and so the user will always be directed to the login page or the error page which u will mention even he presses the back button of the browser. but if he has a valid session the entier page will excecute without problem. i think this approach solves your problem......
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33697
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sundar,
The problem with that is you still need to force the browser to go to the server for each request. You don't want it to used the cache copy once the user is logged out.
 
Shankar Narayana
Ranch Hand
Posts: 134
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Cathy,

If you can apply the Synchronizer Token Pattern , your problem will be solved.

refer to this site

http://www.javajunkies.org/index.pl?lastnode_id=3355&node_id=3355

shankar
 
Cathy Cruise
Greenhorn
Posts: 25
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne, yes i tried to prevent from caching and I tested. The pages did not cache into my internet temporary files, however I feel that it is the name and the password that cached into the computer. I used the META http-equiv (or the response.setheader (), addheader(), etc.) yet I can still go forward if someone didn't press "logout" before. If you don't understand what i mean, try to go to yahoo mail. And login. Go any pages you want. Then don't press logout. Just keep going back and back, until you reach back to the login page. THen press forward button. You could still login without typing password again~

Is there any other way to prevent from browser from caching?
 
Julian Kennedy
Ranch Hand
Posts: 823
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Cathy,

From what I can glean from the articles that Jeanne recommended there are certain circumstances under which browser caching cannot be prevented. The variables that define these circumstances are as follows:
  • HTTP or HTTPS: Are you using HTTPS or just plain old HTTP?
  • Browser and version: Which browser(s) are you seeing this behaviour in? What version(s) are you using?
  • Web server: Which web server are you using? What version? Is it using HTTP 1.0 or 1.1?
  • HTML META tags versus HTTP headers: What does your HTML <HEAD> section look like? Are you sure you're setting Cache Control in the HTTP 1.1 header? (that won't show up in the page source)


  • Again, from what I understood, if your web server is using HTTP 1.1, you have Cache Control on in the HTTP header and your version of IE is IE4 SP1 or later then your pages will not be cached, so the Back and Forward buttons will not work. The other two settings are only relevant to earlier versions of IE and are not 100% reliable. It appears to indicate that Netscape 4 will honour the no-cache pragma in the HTML META tag. The page expiry marker seems pretty superfluous other than as a catch-all for other browsers, with no guarantees.

    The bottom line is that it's up to the browser to honour the information sent to it via HTTP regarding caching. If I want to use Jules's Naughty Browser, that I implemented myself, to browse your pages I can do what I want. There's only so far you can take this.

    I hope that's some help. If you post your answers to the questions above then maybe we can get to the bottom of what is happening in your case.

    Jules
     
    Cathy Cruise
    Greenhorn
    Posts: 25
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    1. I am using http, plain old http
    2. browser probaby use the browser xp with version 6.0 and netscape 7.1
    (even worse in the netscape 7.1, because with my website, i couldn't go back into the internal pages if I logouted using Internet explorer 6.0. However, it would able to do so if I use netscape 7.1)
    3. i am using apache server. I think it is using http 1.1

    My header look like this :
    response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");
    response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
    response.addHeader("Cache-Control", "post-check=0, pre-check=0");
    response.setHeader("Pragma", "no-cache");
    response.setDateHeader("Expires", -1);

    Hopefully this helps me solve problem la.
    Thank you~

    Cathy
     
    Julian Kennedy
    Ranch Hand
    Posts: 823
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi Cathy,

    I've had a look but I'm afraid I can't see anything wrong with what you're doing even if your Apache server (Tomcat?) is using HTTP 1.0. I checked out the response headers using web-sniffer.net and they seem OK.

    Racking my brains, I can't ever remember seeing this kind of thing working in any sites that don't use HTTPS. If you really want/need security then maybe that's the way to go.

    Sorry I couldn't be of further help.

    Jules
     
    Cathy Cruise
    Greenhorn
    Posts: 25
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    hum. how about say no to set-cookies..?
    but then i tried it, but it won't work.. or did i do it wrong?

    <META HTTP-EQUIV="Set-Cookie" CONTENT="cookievalue=xxx;expires=Wednesday, 29-Dec-99 13:14:26 GMT; path=/"> that will be the code right?

    Cathy
     
    I agree. Here's the link: http://aspose.com/file-tools
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic