Hi Folks,
Im trying to logout a user from my web application using the servlet code below.
response.setHeader("Cache-Control","no-cache"); response.setHeader("Cache-Control","no-store"); HttpSession session = request.getSession(); session.removeAttribute("user"); session.invalidate(); RequestDispatcher rd= request.getRequestDispatcher("public/login.jsp"); rd.forward(request, response);
and assigning the above servlet to a logout link, now the above works correctly ,But it would allow the person to be able to see a protected screen below to a particular user by clicking browser back button , even though any action after that forces the user to login . Is there any way I can prevent an unauthorised user from viewing protected content by hitting the back button of the browser?
Thanks

Hi....
I suggest you use a client side cookie...say IsLoggedIn. if the content of IsLoggedIn is "true"(check in onload javascript), let it be. If its not, redirect to login page. You would set the cookie in server code in login page. You would clear the cookie in server code in logout page. Dont remove any server side validation for session. Keep it as it is...

Hope this helps...

Thank you for your suggestion!

Uh just as an update, I found a work around to the situation rather than implementing the client side script on all pages . I cleared the cache through a filter , and solved the problem . May help any one facing similar issues in the future

Hi Vic...What do you mean by clearing cache through a filter? Could you elaborate it!

See the JspFaq.