Avoiding access to history after logout

Question

i want to create a login page and after logout i want user to show the login page rather than the previous page

how to prevent user from going to back to previous page after logout. i have cleared the cache....but it by pressing back button user is going to previous page.I want when after logout user presses back button login page is refreshed and displayed

    <s:form action="Login" >
    <s:textfield label="username" name="userName"/>
    <s:password label="password" name="password"/>
    <s:submit name="login" value="login"></s:submit>
    </s:form>

how to manange session also.can anyone help me Login .java

  package action;

 import com.opensymphony.xwork2.ActionSupport;


public class Login extends ActionSupport {

private String userName;
private String password;

public Login() {
}

@Override
  public String execute() {



  Map  session = ActionContext.getContext().getSession();
  session.put("logged-in","yes");
  return SUCCESS;


}
    @Override
       public void validate()
    {
    if(getUserName().length()==0)
    {
         addFieldError("userName", "User Name is required");
    }
   else if (!getUserName().equals("prerna"))
   {
       addFieldError("userName", "Invalid User");
   }

     if(getPassword().length()==0)
    {
         addFieldError("password", "password is required");
    }

     else   if (!getPassword().equals("prerna")) {
        addFieldError("password", getText("password.required"));
    }



   }


      public String getUserName() {
       return userName;
      }

/**
 * @param userName the userName to set
 */
public void setUserName(String userName) {
    this.userName = userName;
}

/**
 * @return the password
 */
public String getPassword() {
    return password;
}

/**
 * @param password the password to set
 */
public void setPassword(String password) {
    this.password = password;
}
 }
Logout.java

   public class Logout {

     public Logout() {
       }

       public String execute() throws Exception {

     Map session = ActionContext.getContext().getSession();
     session.remove("logged-in");

    return "success";
}

}

logout.jsp

   <s:property value="userName"/>
     <s:property value="password"/>
    <s:url action="Logout.action" var="urlTag">

      </s:url>
      <s:a href="%{urlTag}">URL Tag Action (via %)</s:a>

interceptor logintest

  package interceptor;

    import action.Login;
    import com.opensymphony.xwork2.ActionContext;
    import com.opensymphony.xwork2.ActionInvocation;
    import com.opensymphony.xwork2.interceptor.Interceptor;
    import java.util.Map;



 public class logintest implements Interceptor {

   public logintest() {
    }

public void destroy() {
    throw new UnsupportedOperationException("Not supported yet.");
}

public void init() {
    throw new UnsupportedOperationException("Not supported yet.");
}

public String intercept(ActionInvocation actionInvocation) throws Exception {
   Map<String, Object> session = ActionContext.getContext().getSession();

    // sb: feel free to change this to some other type of an object which
    // represents that the user is logged in. for this example, I am using
    // an integer which would probably represent a primary key that I would
    // look the user up by with Hibernate or some other mechanism.
    String userId = (String) session.get("logged-in");

    // sb: if the user is already signed-in, then let the request through.
    if (userId != null) {
        return actionInvocation.invoke();
    }

    Object action = actionInvocation.getAction();

    // sb: if the action doesn't require sign-in, then let it through.


    // sb: if this request does require login and the current action is
    // not the login action, then redirect the user
    if (!(action instanceof Login)) {
        return "loginRedirect";
    }

    // sb: they either requested the login page or are submitting their
    // login now, let it through
    return actionInvocation.invoke();

   }

}

struts.xml

              <!DOCTYPE struts PUBLIC
     "-//Apache Software Foundation//DTD Struts Configuration 2.1//EN"
         "http://struts.apache.org/dtds/struts-2.1.dtd">

 <struts>
      <!-- Configuration for the default package. -->
<package name="default" extends="struts-default">

    <interceptors>

        <interceptor name="logintest"
class="interceptor.logintest"></interceptor>

        <interceptor-stack name="newStack">
            <interceptor-ref name="logintest"/>
            <interceptor-ref name="defaultStack" />
        </interceptor-stack>
    </interceptors>
    <global-results  >
        <result name="loginRedirect" type="redirect" >/login.jsp</result>
    </global-results>
    <action class="action.Login" name="Login">
        <interceptor-ref name="newStack"></interceptor-ref>
        <result name="input">/login.jsp</result>

        <result name="success">/loginsuccess.jsp</result>

    </action>

    <action class="action.Logout" name="Logout">

        <interceptor-ref name="newStack"></interceptor-ref>

        <result name="success">/login.jsp</result>
    </action>
</package>

the back button functionality is a client side browser feature. The only way I can think of is if you intercept the button press somehow and make an ajax call to the server about the login status then cancel the event and redirect to the login page ... but I doubt that's even possible — Liviu T., Jun 16 '11 at 17:41
formatting your source code goes a long way in making it readable — Steven Benitez, Jun 16 '11 at 18:10

score 0 · Accepted Answer · answered Jun 16 '11 at 18:06

0

As Liviu. mentioned, that behavior is controlled by the client's browser. The most you can do is to send no-cache and possibly no-store headers with each request for your logged in pages so that the browser does not store those and when the user presses back the browser has to re-request the page, which results in the login page.

The specific headers you would want to set would be:

response.setHeader("Cache-Control", "no-cache, no-store");
response.setDateHeader("Expires", 0);
response.setHeader("Vary", "*");

answered Jun 16 '11 at 18:06

Steven Benitez

10,936
3
39
50

this is not solving my problem – coder25 Jun 19 '11 at 10:30
Have you confirmed those headers are being set? Which browsers/versions are you testing with? Is the problem occurring across all browsers/versions or only some? – Steven Benitez Jun 19 '11 at 15:37
where to add this specific headers in my application – Sandeep vashisth May 08 '13 at 05:31
i m developing struts 2 application i have same issue ot can visit the link http://stackoverflow.com/questions/16433000/restrict-a-user-to-go-to-back-pages-from-the-browser-back-button-after-log-out-i – Sandeep vashisth May 08 '13 at 05:41

score 0 · Answer 2 · answered Dec 15 '11 at 10:58

Try this

<html>
<head>
<title>Back Button Demo: Page One</title>
<script>
function backButtonOverride()
{
  // Work around a Safari bug
  // that sometimes produces a blank page
  setTimeout("backButtonOverrideBody()", 1);

}

function backButtonOverrideBody()
{
  // Works if we backed up to get here
  try {
    history.forward();
  } catch (e) {
    // OK to ignore
  }
  // Every quarter-second, try again. The only
  // guaranteed method for Opera, Firefox,
  // and Safari, which don't always call
  // onLoad but *do* resume any timers when
  // returning to a page
  setTimeout("backButtonOverrideBody()", 500);
}
</script>
</head>
<body onLoad="backButtonOverride()">
<h1>Back Button Demo: Page One</h1>
<a href="page2.html">Advance to Page Two</a>
</body>
</html>

Source Link

IMO forcing the browser to move forward in its history, while somewhat effective, is a terrible user experience. — Steven Benitez, Mar 10 '12 at 17:34

Avoiding access to history after logout

2 Answers2