The back button of the browser

Question

In my web java application, I succeed to logout from the principal page to the index page but when I clicked the back button of the browser I had the principal page in spite of I didn't enter my user name and my password.

  protected void processRequest(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();

     request.getRequestDispatcher("index.html").include(request, response);  

        HttpSession session=request.getSession();  
        session.invalidate();  
           out.close();  
}

Is it sure it's not just cached? How about if you do `back` and then `CTRL+F5` reload the page? — Jan Zyka, Apr 22 '15 at 12:16

score 2 · Answer 1 · 2015-04-22T14:30:35.860

2

I clicked the back button of the browser I had the principal page in spite of I didn't enter my user name and my password

Browser back button does not makes request to the server. It is loaded from the cached page, so even if you have the session validation it won't work here.

You can possibly use client side script to resolve this issue. I had the same issue resolved by using this script, you need to have this on all pages which is requires valid session.

Edited:

<script>
  history.forward();
  if(window.attachEvent) {// extra step for IE
    window.attachEvent('onload', function() {});
  }
</script>

edited Apr 22 '15 at 14:30

answered Apr 22 '15 at 12:19

Does this kind of script introduce those annoying website behaviour, where you have to smash your back button to death, if you want to go beyond the site with that script? – Zhedar Apr 22 '15 at 12:28
@Zhedar, let me know once you have tried for yourself. – Apr 22 '15 at 14:31

score 1 · Answer 2 · edited May 23 '17 at 12:06

1

That is caused by your browser's caching for sure.

You can turn the caching off for your login page by setting some header information.

Quoted from this answer:

// Set standard HTTP/1.1 no-cache headers.
response.setHeader("Cache-Control", "private, no-store, no-cache, must-revalidate");

// Set standard HTTP/1.0 no-cache header.
response.setHeader("Pragma", "no-cache");

//Proxies
response.setDateHeader("Expires", 0);

edited May 23 '17 at 12:06

Community

1
1

answered Apr 22 '15 at 12:21

Zhedar

3,480
1
21
44

I copied your answer in the login servlet but I have the same problem – mass_develop Apr 22 '15 at 14:24
@mass_develop Did you clear your cache before trying? – Zhedar Apr 23 '15 at 09:03
You can safely clear it completely. If an old version of your site got cached, it may remain in there without the no-cache headers. – Zhedar Apr 23 '15 at 14:43
I cleared all the cache, I copied your answer in the all servlets also I restarted my computer but it didn't work – mass_develop May 10 '15 at 21:09

The back button of the browser

2 Answers2