• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

after logout back button is working returning to authenticated page

 
Greenhorn
Posts: 19
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am working on simple html and servlet based application , in that I wrote code for logout servlet as follows

response.setContentType("text/html");
request.getRequestDispatcher("Nextpage.jsp").include(request, response);
response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");

request.getSession().invalidate();
System.out.println(request.getSession(false));
response.sendRedirect(request.getContextPath() + "/login.html");

This code invalidating the session correctly but after logout coming to login page and when I pressed the back button it is going to welcome page by creating the new session by it self , I want to restrict the back button after logout help me in this issue.
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do your pages not have filters that disallow viewing when there is no login?
 
vikas gunti
Greenhorn
Posts: 19
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
will you please give me explanation, I am new programmer ,I didn't understand what a filter is? give the solution so the page never goes back after logout
 
Bartender
Posts: 2856
10
Firefox Browser Fedora Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A quick Google search about filters will help you know what filters are. Here is one such link.
Another thing is to use Javascript to intercept the back button and invalidate+redirect.
I am not saying use either of the above, depending on how much you care about the "back" button, you need to add second suggestion after incorporating the first.
 
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Amit Ghorpade wrote:
Another thing is to use Javascript to intercept the back button and invalidate+redirect.



Not a fan of this at all.
Disabling browser functionality like that is frustrating (and often a bit flaky).
You end up wrestling with how a browser is designed to work, and that never ends well.


Adding a filter to the server is far preferable.
 
Amit Ghorpade
Bartender
Posts: 2856
10
Firefox Browser Fedora Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Dave Tolls wrote:Disabling browser functionality like that is frustrating (and often a bit flaky).


I concur. Personally I also feel it makes bad user experience. However I was addressing the following requirement.

vikas gunti wrote: give the solution so the page never goes back after logout


Page never goes back = kill the back button.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are new to all this, you should probably not be building your own security system. I would learn about the security built into the servlet specification and rely upon that.

And, yes, never mess with the browser's back button. It's not going to buy any real level of security, and can easily be circumvented. All you'll do is tick off your legitimate users.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:If you are new to all this, you should probably not be building your own security system.



In fact, unless you are professionally-trained in security details and your sole involvement in the project is the security, you should not be building your own security system.

J2EE/JEE comes with its own professionally-designed, extensively-tested well-documented login and role-based container security system. It can stop attackers before the webapp is even visible to the attacking request.

In contrast, about 95% of all the Do-It-Yourself security systems are nothing more than damp tissue paper and can more often than not be easily defeated by non-technical people in under 15 minutes. Hang around the Ranch for long, and you'll hear me sing that song again. And again. And again. Because it's based on many years of experience. Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.

As for the "Back" button, Alt-LeftArrow, etc. forget it. You don't own those controls, the client does. There's nothing in the HTTP standard that supports meddling with the proper operation of the "back" function.

A quality security system such as the J2EE standard one won't care if they hit "Back", because the session will have been logged out and any attempt to reload a secured URL will simply bounce the user to the login screen.
 
Dave Tolls
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:
Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.



I think I've worked there...
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Dave Tolls wrote:

Tim Holloway wrote:
Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.



I think I've worked there...



ALL of them?
reply
    Bookmark Topic Watch Topic
  • New Topic