Java EE/Java Browser Security

Question

I have a problem with my Java EE (Tomcat) java based web application.

user logs in to website
user viewing page a ssl page in our web site
user logs off, session invalidated
user gets redirected to login page (ssl)
user hits the back button and is able to get to the page in step 2.

How is this avoidable?

score 1 · Accepted Answer · edited May 23 '17 at 10:34

1

Set the Cache-Control header on those pages to

no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0

(also Expires, Last-Modified, Pragma)

see this question for how to do it

edited May 23 '17 at 10:34

Community

1
1

answered Jul 07 '11 at 10:09

Sean Patrick Floyd

292,901
67
465
588

score 0 · Answer 2 · answered Jul 07 '11 at 09:12

The user is only recieving a cached copy of the logged in page. If they try to do anything on that page, they will find the session has ended.

One possible method of stopping this (although it may not be the best) is to add some JS to each page that will redirect the user to the log-in page if the session has ended.

Java EE/Java Browser Security

2 Answers2