posted 18 years ago
Two possible causes for the problem:
1. Your filter doesn't map to the linked pages. It must cover everything that you want to protect, not just your main page.
2. Even if the filter covers everything, the browser stores the pages in a cache. When the user clicks "Back", the browser can use the cached pages without actually asking the server for the page again. This means the server doesn't even know that the user is viewing the page a second time, so the filter becomes useless.
For case 2, all the pages you want to protect need to set headers that would tell the browser to never cache the pages.
Try putting the following three calls in the doFilter() of the filter:
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.addHeader("Cache-Control","no-store");
This way no page retrieved through the filter will be cached by browsers that respect these headers.
Note that if your filter only protects the main page, you need to follow Daniel's advice and have each page check the session to see if the user is logged in or not. In this case the headers must be set in every page to make sure they are not cached.
-Yuriy
[ August 18, 2005: Message edited by: Yuriy Zilbergleyt ]