• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Logged out access

 
Ashish Malik
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have created a web app that only accepts authorized users to view certain pages. After user logs out, he can however view the pages by using browser's 'back' button, although they cannot interact with it i.e any link is forbidden. I want them not to be able to even view those pages after they logged out.


 
Abhishek Purwar
Ranch Hand
Posts: 63
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After logout, you can set following values in response header and it will work.

HttpServletResponse httpResponse = (HttpServletResponse) res;
httpResponse .setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
httpResponse .setHeader("Pragma", "no-cache"); // HTTP 1.0.
httpResponse .setDateHeader("Expires", 0); // Proxies.

Try this and let me know your feedback.
 
Ashish Malik
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where do i need to put this? In the servlet that 'logout' link lands on? There i have only invalidated the session....
I put it there and it didn't work.
 
Abhishek Purwar
Ranch Hand
Posts: 63
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Create one servlet and for every request, set response header with this.
 
Ajeeth Kumar
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can include a blank header(or footer ) element in your all jsp pages and set the following inside it using scriptlets.

httpResponse .setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
httpResponse .setHeader("Pragma", "no-cache"); // HTTP 1.0.
httpResponse .setDateHeader("Expires", 0); // Proxies.


The simple way for doing that is to use include-coda option in your web.xml. If you are using struts then you can configure the same using tiles.
 
Paul Clapham
Sheriff
Posts: 21111
32
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That non-caching code is useful in its way, but if your application isn't coded to keep track of logged-in users properly then it doesn't answer Ashish's question.

The way to keep track of logged-in users is to keep a special "user" object in their session. This would contain whatever information the application needs to know about the user (e.g. the user's name so it can say "Hello Ashish").

When the user logs in, the login servlet creates a user object and adds it to the session. When the user logs out, the logout servlet removes that object from the session. Then at any time if you want to know if the user is logged in, you simply look in the session for that object. Not there? Not logged in. In this case it doesn't matter how the request is generated, in particular it doesn't make any difference whether the back-button was involved.

Just testing the existence of a session isn't going to work reliably.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64958
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ajeeth Kumar wrote:You can include a blank header(or footer ) element in your all jsp pages and set the following inside it using scriptlets.

No, no, no, no, no, no, no.

And did I mention, no!

Firstly, using scriptlets is irresponsible on 2011.

Secondly, there's no need to pollute each and every page with this goop, use a servlet filter to add the headers.

Thirdly, what is up with the "blank element"?

Fourthly, doing this at the end of a JSP, whether in a coda or not, will just cause an IllegalStateException. You cannot add headers after emitting content.

 
Ashish Malik
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have used the addition of 'user object' in the session so no problems there.
Also i tried to set these headers in response from where the jsp page is spit out. No use.
 
Abhishek Purwar
Ranch Hand
Posts: 63
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ashish Malik wrote:I have used the addition of 'user object' in the session so no problems there.
Also i tried to set these headers in response from where the jsp page is spit out. No use.


Did your issue got fixed with mentioned changes or not??
 
Ashish Malik
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Apparently only Opera is able to show the page at back button hit after including the response headers.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic