need help implementing logout

After logging out of my application, clicking the back arrow sends the user to the previous page, but the user remains locked out. However when you get to a page that contains a form, you're presented with a dialog box that essentially re-posts the login data! How can I over ride this. I thought I had all the bases covered with the code below:


Clicking 'log out' on my application, the following code is called:

if (request.getParameter("logout") != null){ if(session != null){ if (session.getAttribute("loginBean")!= null){ LoginBean lbean = (LoginBean)session.getAttribute("loginBean"); String lastname = lbean.getLastName(); logger.info("["+lastname+"] logged out"); } session.removeAttribute("loginBean"); session.invalidate(); request.setAttribute("Error", "YOU HAVE BEEN LOGGED OUT!"); address = "/login.jsp"; } }

...and in the JSPs, I have this in the header:

<% long currentTime = System.currentTimeMillis(); long tenMinutes = 10*60*1000; //in milliseconds response.setDateHeader("Expires", currentTime + tenMinutes); //Forces caches to obtain a new copy of the page from the origin server response.setHeader("Cache-Control","no-cache"); response.setHeader("Cache-Control","no-store"); %> <!-- Only allows access to a page if authentication session bean, loginBean if not null --> <% if (session.getAttribute("loginBean") == null) { request.setAttribute("Error", "Session has ended. Please login."); RequestDispatcher rd = request.getRequestDispatcher("login.jsp"); rd.forward(request, response); } %>

You could implement a more complex session management system that creates a database entry for each active session. You could also choose to instead of invalidating the session, setting a 'disabled' flag.

There's probably some other 'cleaner' approaches although having a table that manages active sessions can be useful for tracking and management.

Thank you for your prompt reply Scott.

You could implement a more complex session management system that creates a database entry for each active session.

How would this work? do I save a session_id to the database and compare with each new login?

i can suggest a simple javascript approach

in the logout.jsp page

after the form tage place in javascript as follows

window.history.forward(1);

so when ever you press the back page it will forward the login.jsp page.

Try disabling the browser cache.Probably the pages getting fetched from the cache.And in the header of every page add session check.If the user is not authinticated then redirect to the login page.To disable the browser , you can use meta-link in the head tag of each of the html's.

Unless you are certain no user will be accesing with an older browser, you may want to add the folowing to your JSPs.

response.setHeader("Pragma", "no-cache");

This is a nice article on how to fix the logout problem. http://www.javaworld.com/javaworld/jw-09-2004/jw-0927-logout.html