Our customer has raised a concern with our web application with the following scenario:
1. User logs in and uses application. 2. User types in new address in browser and navigates off our site without explicitly logging out. 3. User hits 'Back' button and is returned to our application with the original session still active.
I have seen many articles and postings related to controlling the browser cache and redirecting the user to the login when the session has expired or been invalidated, but nothing involving this scenario in which the session is still active. I'm not sure how to control this since we have a valid session. I am researching use of the 'Referer' header to see if this might be a reliable way to test if a request came from within our application, but I suspect this is far from fool-proof.
Anyone come across similar requirements from a customer, or have experience with using 'Referer' to control this?
I think there is no code like session.invalidate() to invalidate the session when doing log out.
you have to write the front controller which check every time whether the session is there created alredy for that user , then only allow that user to access any URL ( nothing but forward that request ) that he types in address bar.