1. Use a
servlet filter or the container's inbuilt security to prevent secure URLs from being retrieved by an unauthenticated or unprivileged user.
2. Stick appropriate headers in your HTML response to try and persuade browsers and proxies not to cache the page. Having said that, it never seems to completely work with all browsers and especially proxies (MS Proxy, anyone?) What the appropriate headers are? I can never remember, because I tend to use libraries that do the job for me (e.g. in
Struts you can set a nocache option). There's a Cache-Control header, some date headers you can fiddle, and so forth. See the HTTP 1.1 spec.
3. If it's really secure, use HTTPS.
- Peter