• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Redirect to login on 'Back' button in same session?

 
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

Our customer has raised a concern with our web application with the following scenario:

1. User logs in and uses application.
2. User types in new address in browser and navigates off our site without explicitly logging out.
3. User hits 'Back' button and is returned to our application with the original session still active.

I have seen many articles and postings related to controlling the browser cache and redirecting the user to the login when the session has expired or been invalidated, but nothing involving this scenario in which the session is still active. I'm not sure how to control this since we have a valid session. I am researching use of the 'Referer' header to see if this might be a reliable way to test if a request came from within our application, but I suspect this is far from fool-proof.

Anyone come across similar requirements from a customer, or have experience with using 'Referer' to control this?

Thanks for any advice.
 
Ranch Hand
Posts: 110
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ted,

I think there is no code like session.invalidate() to invalidate the session when doing log out.

or

you have to write the front controller which check every time whether the session is there created alredy for that user , then only allow that user to access any URL ( nothing but forward that request ) that he types in address bar.
 
Montana has cold dark nights. Perfect for the heat from incandescent light. Tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic