Invalidating session in JSP - Servlet

Question

Possible Duplicate:
Prevent user from going back to the previous secured page after logout

I was wondering how to invalidate session in JSP and servlets. In my website a person when logs-out reaches the login page but on clicking back button he can access the previous page. I am not able to understand where to put session.invalidate()

And further where should i invalidate it, on login.jsp or my other web pages when a person hits logout.

My filter class:-

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import javax.servlet.annotation.WebFilter;


public class LoginFilter implements Filter{


        @Override
        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;




            HttpSession session = request.getSession(false);

            if (session == null || session.getAttribute("currentSessionUser") == null) {
                response.sendRedirect("Loginpage.jsp"); // No logged-in user found, so redirect to login page.

                response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
                response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
                response.setDateHeader("Expires", 0);
            } else {
                chain.doFilter(req, res); // Logged-in user found, so just continue request.
            }
        }

}

In web.xml i've written :-

 <filter>
        <filter-name>loginFilter</filter-name>
        <filter-class>LoginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>loginFilter</filter-name>
        <url-pattern>/ARMS/*</url-pattern>
    </filter-mapping>

On my Loginpage.jsp i've just written

<%
session.invalidate();
%>

Is it okay? Secondly I am not clear on directory structure. I am putting screen shots of it..

I am using apache tomcat 5.5 server, so i guess I should not put url-pattern annotation in filter class right? because it is only supported in tomcat 7 and above.

Answer 1

Invalidate the session in the servlet or the JSP that you go to when a user hits "log out". In a crude way, you can check if a session exists on each page that a user goes.

Take a look at this thread, it has some answers that you are looking for.

http://forums.devx.com/showthread.php?t=146975

Answer 2

I use a servlet for the sole purpose of log outs. When a user hits the log out button it directs them to that page, which in turn checks for an active session and if it finds one, calls session.invalidate() then redirects the user back to the home page (or wherever you would like).

HttpSession session = request.getSession(false);

if(session != null){
    session.invalidate();
    RequestDispatcher rd = request.getRequestDispatcher("Loginpage.jsp");
    rd.forward(request, response);
} else {
    //There is no session. Redirect somewhere
}

This is just a quick example.