2

I am developing a web application, in which I have used session management to store some values.

What I am looking for is, after a user login to the application by giving username and password, s/he will be on the home page, but at any moment if the user closes the browser window or pressed the back button, the session should get invalidated and the user should not get the home page again.

I am using servlet as controller for login(jsp) and 2 jsp pages, 1st-login page, 2nd- home page.

For timeout I am using web.xml's <session-timeout> functionality.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Ars
  • 282
  • 2
  • 9
  • 26
  • The back button is the most used button in the browser. Do you want to frustrate your users and make them go away? – JB Nizet Feb 20 '12 at 23:02
  • Hi JB Nizet, I dont have any personal intension thats the requirement for better security. – Ars Feb 20 '12 at 23:36
  • 2
    Take a look at this: http://en.wikipedia.org/wiki/Principle_of_least_astonishment Are you writing a frontend to a 3270 system or something? This sounds like a hellish user experience. – Jonathan S. Fisher Feb 21 '12 at 03:16

1 Answers1

2

Invalidate session when pressed back button on IE JSP

How about the other browsers? There are many more browsers in the world than only IE.

Anyway, you're going the wrong direction as to solving the "problem". It's technically not reliably possible to invalidate the session when the user presses the back button. Further, I'm not sure how you usually browse on the net, but I'm pretty sure that invalidating the session on pressing the back button would astonish the average webpage visitor.

If your concrete problem is that you'd like to prevent the enduser from viewing a restricted page which requires a login after pressing the back button, then you need to just tell the browser to not cache those pages. This is in detail answered here: Prevent user from seeing previously visited secured page after logout

As to invalidating the session as well when the user physically closes the browser, this is technically also not reliably possible. The common approach is to just keep the session timeout relatively short, for example 1 minute, and to introduce an ajax poll which sends every 55 seconds or so a request to the server to keep the session alive. This is in detail answered here: JSF - Keep a session alive for an indefinite amount of time

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thanks BalusC, I mean to say that like in banking application and all, If after logging in we close the browser manually and again type the url,It will say your session has expired and all. How to achieve those functionality? – Ars Feb 21 '12 at 03:37
  • That's just by default when you close the browser. All of the browser sessions will then expire. The server is just checking the presence of the logged-in user in the session the usual way. – BalusC Feb 21 '12 at 04:28
  • Hi BalusC, But how the server will get notified whether user has closed the browser or not? And in the above example, I did the same what you wrote to create one Filter class, So when I am pressing back button and again forward definetly its not landing to the home page, But it's showing :- Webpage has expired •The local copy of this webpage is out of date, and the website requires that you download it again.... Can I give my login page or link to login page instead of this page? – Ars Feb 21 '12 at 04:34
  • As said, that's not reliably possible. All you can do is just to hook on the session expire on the server side. I.e. when the session times out and get destroyed. – BalusC Feb 21 '12 at 04:37
  • And in the above example, I did the same what you wrote to create one Filter class, So when I am pressing back button and again forward definetly its not landing to the home page, But it's showing :- Webpage has expired •The local copy of this webpage is out of date, and the website requires that you download it again.... Can I give my login page or link to login page instead of this page? – Ars Feb 21 '12 at 04:50
  • That's normal when you press back button after a POST request which is not cached in browser. Implement the POST-Redirect-GET pattern wisely. – BalusC Feb 21 '12 at 04:51