restricting user to go back after logout not working

Question

I have created webapplication using JSF 2.0 where I want to restrict user to go back after logout.

For solution I looked at Great BalusC answer and tried something else, however it is not working.

What I tried is as below.

<h:commandLink value="logout" action="#{bean.makeMeLogut()}" />

in bean I have

public void makeMeLogut() {
    try {
        // get response from JSF itself instead of coming from filter.
        FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put("isLoggedIn", "false");
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        HttpServletResponse hsr = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
        hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        hsr.setDateHeader("Expires", 0); // Proxies.
        FacesContext.getCurrentInstance().getExternalContext().redirect("index.xhtml");
    } catch (IOException ex) {
        System.out.println("can't logut...");
    }
}

As per BalusC answer, I need to create filter, however I thought to use JSF response and set header into it. However it is not working.

Any idea where I am going wrong?

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

You're not setting those headers on the response of the restricted page itself, but you're only setting those headers on the response of the logout action. So the restriced page itself is still in the browser cache, only the logout action is not in the browser cache. However, the back button does not go to the logout action, it goes to the restricted page (which is thus still served up from the browser cache).

You really need a filter on all requests to those restriced pages, exactly as outlined in the answer you found.

restricting user to go back after logout not working

1 Answers1

See also: