aspose file tools*
The moose likes Servlets and the fly likes problem without logout, how to solve it Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "problem without logout, how to solve it" Watch "problem without logout, how to solve it" New topic
Author

problem without logout, how to solve it

Cathy Cruise
Greenhorn

Joined: Jun 13, 2004
Posts: 25
Hi,

I am right now stuck. Supposed a user login to my site, and that user didn't press "logout" but pressed the browser's back button, until he reached back to the login page again. Then he supposed to relogin again. HOwever, I find out that if i press "forward" button from the browsers. Somehow, it will still able to get into the site with the previous login name.

I used session.removeAttribute("login"), session.invalidate(); and response.setHeader("Cache-Control", "no-cache"), response.setDateHeader("Expires", -1), and response.setHeader("Pragma","no-cache") already, but still doesn't work. How come? What's the problem here, and how can I solve it?
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30949
    
158

Cathy,
So you are trying to prevent browser caching? Unfortunately, this is quite browser dependent. Do you know which browsers you need to support? It also depends on whether you are using http or https.

These articles for IE and Netscape are pretty good. Keep in mind that Netscape 4.7 and Netscape 6/7 work differently as they are essential different browsers.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Sundar Gopal
Greenhorn

Joined: Jun 20, 2003
Posts: 17
you can also do like this. put an object in the user session.... lets say username when he logon to the system and check for that object username in the following jsp pages in the session. like this
<html>
<head></head>
<% String userName = session.getAttribute("username");

if(userName == null || some other condition you have to check....){
response.sendRedirect("Login.jsp");}
else{
%>
<body>

all the presentation goes here......


</body>
<% } %> // this brace is for the above else..
</html>

if the user has logged out or if the session expires the session attribute is lost and so the user will always be directed to the login page or the error page which u will mention even he presses the back button of the browser. but if he has a valid session the entier page will excecute without problem. i think this approach solves your problem......


Regards,<br />SundarGopal.<br />Scjp, Scwcd, Scbcd.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30949
    
158

Sundar,
The problem with that is you still need to force the browser to go to the server for each request. You don't want it to used the cache copy once the user is logged out.
Shankar Narayana
Ranch Hand

Joined: Jan 08, 2003
Posts: 134
Hi Cathy,

If you can apply the Synchronizer Token Pattern , your problem will be solved.

refer to this site

http://www.javajunkies.org/index.pl?lastnode_id=3355&node_id=3355

shankar


"Failure is not when you fall down; its only when you fail to get up again."
Cathy Cruise
Greenhorn

Joined: Jun 13, 2004
Posts: 25
Jeanne, yes i tried to prevent from caching and I tested. The pages did not cache into my internet temporary files, however I feel that it is the name and the password that cached into the computer. I used the META http-equiv (or the response.setheader (), addheader(), etc.) yet I can still go forward if someone didn't press "logout" before. If you don't understand what i mean, try to go to yahoo mail. And login. Go any pages you want. Then don't press logout. Just keep going back and back, until you reach back to the login page. THen press forward button. You could still login without typing password again~

Is there any other way to prevent from browser from caching?
Julian Kennedy
Ranch Hand

Joined: Aug 02, 2004
Posts: 823
Hi Cathy,

From what I can glean from the articles that Jeanne recommended there are certain circumstances under which browser caching cannot be prevented. The variables that define these circumstances are as follows:
  • HTTP or HTTPS: Are you using HTTPS or just plain old HTTP?
  • Browser and version: Which browser(s) are you seeing this behaviour in? What version(s) are you using?
  • Web server: Which web server are you using? What version? Is it using HTTP 1.0 or 1.1?
  • HTML META tags versus HTTP headers: What does your HTML <HEAD> section look like? Are you sure you're setting Cache Control in the HTTP 1.1 header? (that won't show up in the page source)


  • Again, from what I understood, if your web server is using HTTP 1.1, you have Cache Control on in the HTTP header and your version of IE is IE4 SP1 or later then your pages will not be cached, so the Back and Forward buttons will not work. The other two settings are only relevant to earlier versions of IE and are not 100% reliable. It appears to indicate that Netscape 4 will honour the no-cache pragma in the HTML META tag. The page expiry marker seems pretty superfluous other than as a catch-all for other browsers, with no guarantees.

    The bottom line is that it's up to the browser to honour the information sent to it via HTTP regarding caching. If I want to use Jules's Naughty Browser, that I implemented myself, to browse your pages I can do what I want. There's only so far you can take this.

    I hope that's some help. If you post your answers to the questions above then maybe we can get to the bottom of what is happening in your case.

    Jules
    Cathy Cruise
    Greenhorn

    Joined: Jun 13, 2004
    Posts: 25
    1. I am using http, plain old http
    2. browser probaby use the browser xp with version 6.0 and netscape 7.1
    (even worse in the netscape 7.1, because with my website, i couldn't go back into the internal pages if I logouted using Internet explorer 6.0. However, it would able to do so if I use netscape 7.1)
    3. i am using apache server. I think it is using http 1.1

    My header look like this :
    response.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");
    response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
    response.addHeader("Cache-Control", "post-check=0, pre-check=0");
    response.setHeader("Pragma", "no-cache");
    response.setDateHeader("Expires", -1);

    Hopefully this helps me solve problem la.
    Thank you~

    Cathy
    Julian Kennedy
    Ranch Hand

    Joined: Aug 02, 2004
    Posts: 823
    Hi Cathy,

    I've had a look but I'm afraid I can't see anything wrong with what you're doing even if your Apache server (Tomcat?) is using HTTP 1.0. I checked out the response headers using web-sniffer.net and they seem OK.

    Racking my brains, I can't ever remember seeing this kind of thing working in any sites that don't use HTTPS. If you really want/need security then maybe that's the way to go.

    Sorry I couldn't be of further help.

    Jules
    Cathy Cruise
    Greenhorn

    Joined: Jun 13, 2004
    Posts: 25
    hum. how about say no to set-cookies..?
    but then i tried it, but it won't work.. or did i do it wrong?

    <META HTTP-EQUIV="Set-Cookie" CONTENT="cookievalue=xxx;expires=Wednesday, 29-Dec-99 13:14:26 GMT; path=/"> that will be the code right?

    Cathy
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: problem without logout, how to solve it