0

I am developing a web application using JSP, with Oracle 11g. I am able to maintain data across sessions and logging out invalidates the session which results in a safe termination of the web app.

However, I am unable to fix the problem of the back button. My project is related to banking so the data in the application is considered sensitive. Hence I want to implement the feature that if someone presses the back button then the session should be terminated and redirected to the login page. Further attempts to try that should be a redirect to the login page. I have followed the following threads:

Disable browsers back button if the session is invalidated

Prevent user from seeing previously visited secured page after logout

servlet session , after logout , when back button of browser is pressed , again the secure page is shown

But the problem I am facing is that it is not working uniformly. Setting the no cache option works sometimes. Sometimes it is showing an error that the page has expired(expected). But then when I click back again and then forward, the page is present as it is(unexpected behaviour). If I enter the url after pressing the back button then it is accessible as well. Again if I am opening two separate sessions then it is working in one and not working in another.

It is becoming a bit confusing and leading to spaghetti code.

Is there any work around regarding this problem?

I found a few other examples that tackle the same problem, but they were in another language(PHP). I am not familiar with php so I was unable to decipher the meaning of the code.

Any help is appreciated.

Regards, Rajorshi Mukherjee.

Community
  • 1
  • 1
Rajorshi Mukherjee
  • 47
  • 11

1 Answers1

0

Okay thanks for those who viewed the question guys. Certainly I was expecting someone to help me out of this bind. Anyway I have found a solution to the problem that I was working on. I have added the code shared in these posts :

Disable browsers back button if the session is invalidated

Prevent user from seeing previously visited secured page after logout

The part that shows the pragma, cache-control, I found that including this code inside every page that I have present in the application solves the issue. So if the user logs into the system then traverses many different pages then suddenly decides to go back, in all the pages he will find that the page has expired and is not longer accessible. However the first page that is login is still shown to the user as the user may again want to login with his credentials once he goes back to the first page. I was initially having problems with this issue because when I pressed forward the page would again be visible. But I realize now that it was mainly because I had not included the cache-control directives to all the pages.

Thanks for reading guys.

EDIT : I ran into another problem some time back. In the servlets I was using
request.getRequestDispatcher("url").forward(request, response);
This was creating an issue. Even if the page had expired, if I reloaded the page then the page would be visible again as normal or get an error page. It would appear as if the session had not expired at all. To overcome this I used
response.sendRedirect("url");
That way the response was being permanently being relocated to the next page and all validation on page load was conducted successfully, so no erroneous data was creeping up.

Community
  • 1
  • 1
Rajorshi Mukherjee
  • 47
  • 11