After logout when I click back button in browser still the page accessible while refreshing it works fine

Question

I am having a web page in jsp and servlet

I am login the page and it is redirected into the homepage.jsp

In login I am setting session variables as follows in my servlet login.java as follows:

HttpSession ss = rq.getSession(true);
ss.setAttribute("uid", rstusrdetail.getInt(1));
ss.setAttribute("username", rstusrdetail.getString(2));

I have a logout button as well and my logout.java as follows:

try {
            HttpSession ss = rq.getSession(false);
            if (ss.getAttribute("uid") == null || ss.getAttribute("username") == null ) {
                rs.sendRedirect("/");
            }

            rs.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
            rs.addHeader("Cache-Control", "post-check=0, pre-check=0");
            rs.setHeader("Pragma", "no-cache");
            rs.setDateHeader("Expires", 0);
            HttpSession session = rq.getSession(false);
            session.setAttribute("uid", null);
            session.setAttribute("username", null);            
            session.invalidate();
            rs.sendRedirect("/");
        } catch (Exception exp) {
            RequestDispatcher dd = rq.getRequestDispatcher("/");
            dd.forward(rq, rs);
        }

After logout when I click the back button it is redirected to the homepage.jsp

If I refresh then I am getting session expire message . If I directly access the page also I am getting session expire message.

How can I get on clicking back button to get session expire with out refreshing or is there any ways to disable back button in browser?

Check [this article](http://www.javaworld.com/article/2072937/java-web-development/solving-the-logout-problem-properly-and-elegantly.html).Nicely explained. — Bacteria, Oct 21 '15 at 10:25
@UUIIUI I am also using the same way . You can check my code above. My issue is why I am getting page on back button? — Santhucool, Oct 21 '15 at 10:28
@Santhucool The code above doesn't show that you're also following that article's advice regarding disabling cache for all sensitive pages (not only when logging out). — Jiri Tousek, Oct 21 '15 at 10:52
Thanks buddy I have added some lines and it solved my issue!! — Santhucool, Oct 21 '15 at 11:11

score 3 · Answer 1 · answered Oct 21 '15 at 11:13

Added the following code on top of each pages which needs login:

HttpServletResponse httpResponse = (HttpServletResponse)response;

httpResponse.setHeader("Cache-Control","no-cache, no-store, must-revalidate"); 
response.addHeader("Cache-Control", "post-check=0, pre-check=0");
httpResponse.setHeader("Pragma","no-cache"); 
httpResponse.setDateHeader ("Expires", 0); 
if (session.getAttribute("uid") == null || session.getAttribute("username") == null ) {                               
                 response.sendRedirect("/invalidSession.jsp");
                 return;
 }

After logout when I click back button in browser still the page accessible while refreshing it works fine

1 Answers1