after logout click on back button cache issue

Question

<%
    response.setHeader("Cache-Control","no-cache,no-store,must-revalidate");//HTTP 1.1
    response.setHeader("Pragma","no-cache"); //HTTP 1.0
    response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>

after logout, on comming login page if you click back button it shows old page as it is logged in. I am using above 3 lines in a jsp and I am including this in all my jsps inside body tag. this is not working for some jsps . what are the things we need to consider for stoping cacheing after loggout . If a jsp having a form with Post method , this technique does not work ?.

In my Logout action I am doing this.

Cookie logoutCookie = new Cookie("somename", null);
logoutCookie.setPath("/somename");
logoutCookie.setMaxAge(0);
ServletActionContext.getResponse().addCookie(logoutCookie);

Thanks.

tom · Answer 1 · 2012-04-26T13:56:41.637

2

If you are using the back button from the browser, there is nothing you can do. The page will always come from the cache.

Just make sure you invalidate the session when the user clicks logout. That way when the user hits 'back' and tries to use the page he will be redirected to the login page (If your site is programmed correctly).

[EDIT]

Here is the header we put to have no cache for http 1.1 :

httpResponse.setHeader("Cache-Control", "private,no-store,no-cache");

edited Apr 26 '12 at 13:56

answered Apr 26 '12 at 11:44

tom

2,735
21
35

I am not using session here. I am using Cookie only to get logged in user details. – MadhuB Apr 26 '12 at 11:52
1

Well, with or without a session, are you talking about the back-button of the browser or some back button in your application? – tom Apr 26 '12 at 11:54
@Tom::My logout button is a Ajax call..After the ajax call is over, its redirected to the login page..Can I set the "no-cache" option on my Ajax call request? – user1050619 May 06 '14 at 23:48

score 2 · Accepted Answer · edited May 23 '17 at 10:33

I am including this in all my jsps inside body tag

This might be too late when the HTTP response is already committed at that point. A HTTP response will be committed when an X amount of characters are already been written to it, which will in your case be the HTML <head>. You need to put those lines in the very top of the JSP file, not in the <body> of the HTML representation.

On an unrelated note, you're making a huge design mistake by copypasting the same lines of code over multiple files. This is not DRY. Whenever you need to copypaste code, you should always stop and ask yourself if there isn't a single place to execute the particular code. In your particular case, you should have used a Filter instead. For a concrete example, see also this answer: Prevent user from seeing previously visited secured page after logout. Also, writing Java code in JSPs is a bad practice. Check How to avoid Java code in JSP files?

Also, your logout method is strange. Don't store the username in some custom cookie. You're basically reinventing the session. Just store the logged-in user as a session attribute instead and invalidate the entire session and send a redirect.

request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/home.jsp");

For background information on working of session, read this: How do servlets work? Instantiation, sessions, shared variables and multithreading

I am getting document expired message in fire fox after not allowing pages to be cached.this is when I am going back to the page which is the result of some action with POST request. what is the best solution for this. I cannot use GET here, Thanks. — MadhuB, Aug 20 '12 at 12:14
The answer would be to send a redirect, but since that's GET, it's end of story. Live with it, that's just how POST works. — BalusC, Aug 20 '12 at 12:16

score 0 · Answer 3 · answered Apr 26 '12 at 09:20

0

Have you tried response.setHeader("Cache-control","no-store"); response.setHeader("Pragma","no-cache"); response.setDateHeader("Expires", -1);? I think your missing the quotes at the right place..

answered Apr 26 '12 at 09:20

seeker

6,841
24
64
100

'Not working for some pages ' isnt really helpful. Are you making the person login each time? is there a filter in operation? How do you check if the user is validated in the first place? – seeker Apr 26 '12 at 12:31

score 0 · Answer 4 · answered Aug 28 '14 at 09:20

Create a session attribute let's say "valid" and initialize it with any value other then null in the jsp, just after the login credentials were matched. Now create a verify.jsp with the following code:

<%
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
if(session.getAttribute("valid")==null)
{
    out.println("<script>parent.location.href='login.jsp'</script>");
}
%>

Now simply include this jsp file on each jsp page and its done. Do not forget to write "session.invalidate();" in logout.jsp

Hope it will work..!!!

after logout click on back button cache issue

4 Answers4

Linked