Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Internet Exploror Back Button

 
srinivasa sakhamuri
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am developping one web site.in that i am using filters concept for authentication purpose.But my problem is when ever user enter his username and password then filter automatically checks this user is exists or not .If exists then controle goes to our member area i.e.,enters into our web site in that so many links if you click on any link then cursor go to that page on that i am loged out the site(for our intrest).then cursor goes to admin page(that is setting in the filter)If this time press Intenet exploror Back Button then control goes to what ever link prevously I am loged out this is the actual problem.

but i am using cache methods also.
 
Daniel Rhoades
Ranch Hand
Posts: 186
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why not store the authentication information in a session attribute and check for that in your filter?

Also, consider using form-based container managed authentication and authorisation.
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two possible causes for the problem:

1. Your filter doesn't map to the linked pages. It must cover everything that you want to protect, not just your main page.

2. Even if the filter covers everything, the browser stores the pages in a cache. When the user clicks "Back", the browser can use the cached pages without actually asking the server for the page again. This means the server doesn't even know that the user is viewing the page a second time, so the filter becomes useless.

For case 2, all the pages you want to protect need to set headers that would tell the browser to never cache the pages.

Try putting the following three calls in the doFilter() of the filter:

response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.addHeader("Cache-Control","no-store");

This way no page retrieved through the filter will be cached by browsers that respect these headers.

Note that if your filter only protects the main page, you need to follow Daniel's advice and have each page check the session to see if the user is logged in or not. In this case the headers must be set in every page to make sure they are not cached.

-Yuriy
[ August 18, 2005: Message edited by: Yuriy Zilbergleyt ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic