Meaningless Drivel is fun!*
The moose likes Servlets and the fly likes Logged out access Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Logged out access" Watch "Logged out access" New topic
Author

Logged out access

Ashish Malik
Ranch Hand

Joined: Jul 11, 2010
Posts: 50
I have created a web app that only accepts authorized users to view certain pages. After user logs out, he can however view the pages by using browser's 'back' button, although they cannot interact with it i.e any link is forbidden. I want them not to be able to even view those pages after they logged out.


Abhishek Purwar
Ranch Hand

Joined: Dec 15, 2007
Posts: 63

After logout, you can set following values in response header and it will work.

HttpServletResponse httpResponse = (HttpServletResponse) res;
httpResponse .setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
httpResponse .setHeader("Pragma", "no-cache"); // HTTP 1.0.
httpResponse .setDateHeader("Expires", 0); // Proxies.

Try this and let me know your feedback.

Abhishek Purwar,
Bangalore.
Ashish Malik
Ranch Hand

Joined: Jul 11, 2010
Posts: 50
Where do i need to put this? In the servlet that 'logout' link lands on? There i have only invalidated the session....
I put it there and it didn't work.
Abhishek Purwar
Ranch Hand

Joined: Dec 15, 2007
Posts: 63

Create one servlet and for every request, set response header with this.
Ajeeth Kumar
Ranch Hand

Joined: Mar 30, 2005
Posts: 56
You can include a blank header(or footer ) element in your all jsp pages and set the following inside it using scriptlets.

httpResponse .setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
httpResponse .setHeader("Pragma", "no-cache"); // HTTP 1.0.
httpResponse .setDateHeader("Expires", 0); // Proxies.


The simple way for doing that is to use include-coda option in your web.xml. If you are using struts then you can configure the same using tiles.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

That non-caching code is useful in its way, but if your application isn't coded to keep track of logged-in users properly then it doesn't answer Ashish's question.

The way to keep track of logged-in users is to keep a special "user" object in their session. This would contain whatever information the application needs to know about the user (e.g. the user's name so it can say "Hello Ashish").

When the user logs in, the login servlet creates a user object and adds it to the session. When the user logs out, the logout servlet removes that object from the session. Then at any time if you want to know if the user is logged in, you simply look in the session for that object. Not there? Not logged in. In this case it doesn't matter how the request is generated, in particular it doesn't make any difference whether the back-button was involved.

Just testing the existence of a session isn't going to work reliably.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61095
    
  66

Ajeeth Kumar wrote:You can include a blank header(or footer ) element in your all jsp pages and set the following inside it using scriptlets.

No, no, no, no, no, no, no.

And did I mention, no!

Firstly, using scriptlets is irresponsible on 2011.

Secondly, there's no need to pollute each and every page with this goop, use a servlet filter to add the headers.

Thirdly, what is up with the "blank element"?

Fourthly, doing this at the end of a JSP, whether in a coda or not, will just cause an IllegalStateException. You cannot add headers after emitting content.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ashish Malik
Ranch Hand

Joined: Jul 11, 2010
Posts: 50
I have used the addition of 'user object' in the session so no problems there.
Also i tried to set these headers in response from where the jsp page is spit out. No use.
Abhishek Purwar
Ranch Hand

Joined: Dec 15, 2007
Posts: 63

Ashish Malik wrote:I have used the addition of 'user object' in the session so no problems there.
Also i tried to set these headers in response from where the jsp page is spit out. No use.


Did your issue got fixed with mentioned changes or not??
Ashish Malik
Ranch Hand

Joined: Jul 11, 2010
Posts: 50
Apparently only Opera is able to show the page at back button hit after including the response headers.
 
 
subject: Logged out access