Preventing User to go back after logout in jsp

Question

Possible Duplicate:
Prevent user from going back to the previous secured page after logout

I need to secure a java application(mvc) by preventing a user to access the same after signout.

Objective:

1.Enduser should not be able to access the restricted page using browser back button after signout. 2.Enduser should not be able to access any restricted URL in browser history after signout

After googling i understood that it is not a good practice to disable the browser-back button.So How can I achieve this at the best in JSP ?

Thanks&Regards Ashish

Answer 1

In each page you can probably clear the cached page.

  <%
  response.setHeader("Cache-Control","no-cache");
  response.setHeader("Cache-Control","no-store");
  response.setHeader("Pragma","no-cache");
  response.setDateHeader ("Expires", 0);

  if(session.getAttribute("some_token")==null)
      response.sendRedirect("login/login.html");

  %> 

In logout you must be invalidating session so when you click back it would check the some_token attribute value in session and if not there it will redirect you to login page . But remember after login you are setting some_token attribute in session.

Answer 2

General approach to secure your resource -

1. put session attribute check(ex. user object) in restricted page controller.
2. invalidate the session after logout.

Answer 3

For every restricted JSP/Servlet, you should check whether the user has signed in. If the user is not signed in, redirect them to a non-restricted page. (You don't need any JavaScript for this)

<%
   int userId = session.getAttribute("userId");
   if(userId == null) {
      response.sendRedirect(redirectURL);
   }
%>

When user log out, you invalidate the session so when user attempts to access restricted JSP/Servlet page, your authentication logic will redirect him.

<% session.setAttribute("userId", null); // in your logout.jsp page %>