Implemented a filter, trying to prevent caching during logout from servlet.

Hey Guys,

I was doing some reading this morning about trying to use filters to prevent caching and implemented a filter for now. I do have the Filter working and being called as defined in my web.xml. I put the recommended setHeader to prevent Firefox from caching when I logout. It appears that my invalidate() is working properly, but the ability to type the servlet name I just came from or hitting the back button seems to keep the old stuff. Is there a definite solution of what I must do to prevent someone from typing in the servlet or hitting the back button, being forced to re-login in again to access those pages? What would be the correct fix?

Being new to using filters, it seems that when I load the page the filter is being called. As it is being called, I would expect those variables for the header be defined for the browser, but seems to have no affect with the latest Firefox. Am I missing something specifically defined to tell Firefox how to behave? The same would be true for IE and Chrome.

Thanks for your help... Steven


public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); System.out.println("**************DOING THE FILTER*************"); response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader ("Expires", -1); chain.doFilter(req, res); }

<filter>
<filter-name>SessionFilter</filter-name>
<filter-class>
com.filter.SessionFilter
</filter-class>
</filter>

<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Is there anything preventing people from accessing the pages when not logged in? If not, then typing in the URL will simply show them the page. Or is that implemented with a different filter?

Thanks for responding. When coming in brand new (the landing page not visited), it detects that a set attribute is missing and will do a redirect so the user can't go directly to. Here is flow:

Login
--> Landing Page
--> User selects Logoff
->Back to Login page

As you had mentioned, the user can hit the back button or simple type in the landing page servlet name as the URL, and they are back on the landing page. I want to prevent that from happening, but it seems everything I have tried has not yet worked in a Firefox browser to prevent it from loading cache. If they hit logout, I want them to then log back in again, not accessing the landing page by hitting the back button.

Thank you!

Steven Mac wrote:
<filter>
<filter-name>SessionFilter</filter-name>
<filter-class>
com.filter.SessionFilter
</filter-class>
</filter>

<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

You mentioned when logged off, filter will be executed. According to your configuration, filter will be executed for every request.

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); System.out.println("**************DOING THE FILTER*************"); if(session.getAttribute("anyAttribute")==null) { //Redirect user to login page } response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader ("Expires", -1); chain.doFilter(req, res); }

I have done modification for your code. check it once.

Thanks
Vipul

Hi Vipul,

Yes, I wanted to have the filter execute everytime to indicate that I don't want caching of the webpage so that when the user logs out, and they attempt to hit the back button in Firefox (or any other browser), they cannot see the previous page and must be forced to log back in. I tried the response.setHeaders below, but they are not working to prevent caching of the pages. Another way that would work for me based upon how my code is set up is I just need a simple page refresh from the server because the session should be invalidated with attributes removed, redirecting the user back to login.

To restate the issue: I want to prevent the caching of a web page once the user has logged out and being able to go back to previous page. I read that a filter was good to use as it can execute for each servlet/jsp. Any thoughts on this?

This doesn't seem to be working:
response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader ("Expires", -1);