Requirement:
I am implementing secure logout feature in my web app(Servlets-JSP based) i.e after logging out user shouldn't be able to access any pages by typing url from Cache or hitting the back button on browser,Application should redirect to login page.
What I did:
Based on some reading and some SO answers i started implementing this feature with Filters and this is what i did.
in web.xml
<filter>
<filter-name>NoCacheFilter</filter-name>
<filter-class>com.controller.NoCacheFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>NoCacheFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
in my Filter class doFilter() method
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) servletResponse;
HttpServletRequest request=(HttpServletRequest) servletRequest;
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);
HttpSession session=request.getSession(false);
if(session != null && !session.isNew()) {
chain.doFilter(request, response);
}
else {
response.sendRedirect("/WEB-INF/login.jsp");
}
}
I am using chrome,the feature is not working at all,i.e user can still access pages after logging out with URL typing or hitting back button.
Where i am doing wrong? what changes should be done to make it work.
Thanks in advance,
