0

In our Java EE application we use container based certificate authentication. We have created JAASLoginModule, which implements LoginModule interface with all required methods. We have configured our Wildfly and TomEE server to use this module both for authentication and ssl channel security, and everything goes smoothly with user login:

  • the user opens the browser and the app;
  • selects a certificate;
  • a JSF session is created, and now he is logged in;

A different story is with the logout. Just destroying the JSF session is not enough - after logout, if you just click back, the browser will get the certificate info from cache, recreate a session and lets you do the same stuff. Sometimes even browser restart does not help. I could not find an effective way to call the logout method from the LoginModule from the JSF managed bean.

Any way to solve this problem?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Dmitry Alexandrov
  • 640
  • 5
  • 23

1 Answers1

0

Your problem is directly with the browser, so what you need is to tell the browser to "restart" the cache from your page every time it logs out, this, in order for it to think it's the first time the client is trying to get into that page. Kind of the same that private windows in Chrome and Firefox do.

Try this code:

 //...
 response.setHeader("Cache-Control","no-cache"); //Forces caches to obtain a new copy of the page from the origin server
 response.setHeader("Cache-Control","no-store"); //Directs caches not to store the page under any circumstance
 response.setDateHeader("Expires", 0); //Causes the proxy cache to see the page as "stale"
 response.setHeader("Pragma","no-cache"); //HTTP 1.0 backward compatibility

 //can check userId or something likes this.In this sample, i checked with userName.
 String userName = (String) session.getAttribute("User");
 if (null == userName) {
     request.setAttribute("Error", "Session has ended.  Please login.");
     RequestDispatcher rd = request.getRequestDispatcher("login.jsp");
     rd.forward(request, response);
}

Source: How to clear browser cache using java

Community
  • 1
  • 1
Luis
  • 13
  • 5
  • There is no way to force this from the server side in java (or any other language and/or container IMHO). I have done a lot of research and the only reliable way is to restart the browser. – mvreijn Jul 05 '16 at 10:00