Redirect page to custom page instead of default saying "web page has expired" upon using back/forward button

Question

I am busy with a site which has only one page, accessible only after logging in: home.jsp. Once user is logged in with a valid session, if he presses the back button on the browser then he should be redirected to login.jsp and again if he presses the browser's forward button. He should not be able to get to home.jsp without logging in. So after doing some searches, I've implemented:

<%
response.setHeader ( "Cache-Control","no-cache,no-store,must-revalidate");

response.setHeader("Pragma","no-cache");

response.setDateHeader ( "Expires", 0)
%>

On the home.jsp page and upon pressing the forward button, it's saying web page has expired, but what I'm looking for is my cutom page, something like sessionExpired.jsp saying log in again...

Please help me out with how to fix this.

Answer 1

Implement the Post-Redirect-Get pattern. So, everytime when the enduser sends a (successful) POST request, send a redirect to the target page instead of a forward. This way the back button will point to the redirected GET request instead of the initial POST request.

E.g. in your doPost() method handling the login:

User user = userService.find(username, password);

if (user != null) {
    request.getSession().setAttribute("user", user);
    response.sendRedirect(request.getContextPath() + "/home.jsp");
}

And in your doPost() method handling the logout:

request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/login.jsp");

Do not forget to implement a no-cache filter as instructed in Prevent user from seeing previously visited secured page after logout, otherwise the browser might still present the previously visited secured page from its cache. It is not correct to set these response headers in every single JSP via the Scriptlets way as visible in your code snippet.