I don't know if this is specifically Struts related or not, but here goes. I have an application that uses Struts Tiles. At the basic level the user is presented a login page, he supplies credentials, once the credentials are validated an initial query is run and the user is presented with a summary page of the data. The state of the user is kept in a session variable. On the summary page there is a logout link. This invalidates the session and then goes back to the login page. The problem occurs if the user hits the browser back button after logging out. Initially the browser would say the page expired and to hit refresh. If that was done the form data would be reposted and the user would be fully logged back into the application without presenting any credentials. I fixed that by changing it to use a redirect instead of the forward to the summary page. Now when the user hits the back button after logging out, the summary page is redisplayed, but any attempt to do anything from there goes back to login page with the session expired message, as is expected. The problem is how to keep it from redisplaying the summary page at all from the back button. I can see the page in the browser cache. If I manually delete the summary page from the browser cache before hitting the back button, then all works as expected, it goes immediately to the login page. I have tried every manner of cache control in the baselayout.jsp, meta tags at the begnning and the end, as well as setHeader() calls. Nothing seems to stop the browser from caching the page. I know it's not going back to the server when the back button is hit, because I see no logs on the server. Also if I hit the refresh button at that point, it goes to the login page with the expires message as well. This is so frustrating. This is happening in both IE and FF.
When you hit back in the first case and press refresh, does it warn you that form data will be reposted?? I think your login credentials are send back to the server as you are using RequestDispatcher. This is I think expected behavior. You can use the token-interceptor to prevent that. If you are using redirect, normal NoCacheHeaders should work on the summary page...
I've solved the problem. It had to do with Struts Tiles. I had originally put the cache control template "baselayout.jsp". For some reason they did not work from there. For grins I tried moving the cache directives to the actual jsp page(s), (the ones that used the baselayout). Low and behold the cache directives started working. I don't understand it, but it solved my problem.