This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes Form-based authentication - logout Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Form-based authentication - logout" Watch "Form-based authentication - logout" New topic
Author

Form-based authentication - logout

Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Hi,

I have a web app which used form based authentication. I have a logout link, whenever the user clicks on the logout link I call something like this:



The problem is that if the user clicks the browser's "back" button he/she can go back to the web app. Is there a way to prohibit that?

(I searched on the net but could not find a suitable solution).

Thanks in advance.
ujjwal soni
Ranch Hand

Joined: Mar 28, 2007
Posts: 403
Hi,

There are various ways of doing this, one better way is to do this by using javascript.

Here's how you can do it.



location.replace will not let you go back to the original page.



OR

A way to do that without javascript is to use a meta refresh tag in the entry page to your site. If you have a banner ad or a link to you from another site you can prevent the user from going back (leaving your site). Put the following meta tag in the <head></head> section of your page to redirect to page2.html after 0 seconds.



You could put this in your home page and make page2.html your home page content.

OR

Block the back button of your browser by doing this




"HELPING HANDS ARE BETTER THAN PRAYING LIPS................................."


Cheers!!!
Ujjwal B Soni <baroda, gujarat, india> <+919909981973>
"Helping hands are better than praying lips......"
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Viv Singh wrote:
The problem is that if the user clicks the browser's "back" button he/she can go back to the web app.

This can have two causes: the page is retrieved from the browser cache, or the security at the server side is bogus. If the first, just disable response caching by adding the appropriate response headers accordingly. If the second, just write proper code and/or make proper security configurations.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
ujjwal soni wrote:one better way is to do this by using javascript.

I wouldn't call it "one better way". It is one of the worst ways which I wouldn't even recommend as "last resort".

JS runs at the client side only. That's the biggest problem here.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41054
    
  43
Also see the article on "A Thorough Examination of Disabling the Back Button" linked in the http://faq.javaranch.com/java/JavascriptLinks page.


Ping & DNS - my free Android networking tools app
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Bauke Scholtz wrote:
This can have two causes: the page is retrieved from the browser cache, or the security at the server side is bogus. If the first, just disable response caching by adding the appropriate response headers accordingly. If the second, just write proper code and/or make proper security configurations.


How can I verify that my security configuration is not done properly?

Thanks.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Do a hard refresh of that request or a brand new request on that page (so that it is not been retrieved from cache). If the page is still displayed, then the authentication is bogus. That page should not be displayed if you aren't logged in, should it?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Form-based authentication - logout
 
Similar Threads
Again back button wiht logout link
Logout mechanism on Digest Authentication
forward to HttpUrlConnection
How to implement Spring Form Based Authenticationand Authorization without session scope ?
help with jsp redirection after timeout