response.setHeader("Cache-Control", "no-cache, no-store");
response.sendRedirect(request.getContextPath() + "/login.html");
This code invalidating the session correctly but after logout coming to login page and when I pressed the back button it is going to welcome page by creating the new session by it self , I want to restrict the back button after logout help me in this issue.
I am not saying use either of the above, depending on how much you care about the "back" button, you need to add second suggestion after incorporating the first.
Amit Ghorpade wrote:
Not a fan of this at all.
Disabling browser functionality like that is frustrating (and often a bit flaky).
You end up wrestling with how a browser is designed to work, and that never ends well.
Adding a filter to the server is far preferable.
Dave Tolls wrote:Disabling browser functionality like that is frustrating (and often a bit flaky).
I concur. Personally I also feel it makes bad user experience. However I was addressing the following requirement.
vikas gunti wrote: give the solution so the page never goes back after logout
Page never goes back = kill the back button.
And, yes, never mess with the browser's back button. It's not going to buy any real level of security, and can easily be circumvented. All you'll do is tick off your legitimate users.
Bear Bibeault wrote:If you are new to all this, you should probably not be building your own security system.
In fact, unless you are professionally-trained in security details and your sole involvement in the project is the security, you should not be building your own security system.
J2EE/JEE comes with its own professionally-designed, extensively-tested well-documented login and role-based container security system. It can stop attackers before the webapp is even visible to the attacking request.
In contrast, about 95% of all the Do-It-Yourself security systems are nothing more than damp tissue paper and can more often than not be easily defeated by non-technical people in under 15 minutes. Hang around the Ranch for long, and you'll hear me sing that song again. And again. And again. Because it's based on many years of experience. Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.
As for the "Back" button, Alt-LeftArrow, etc. forget it. You don't own those controls, the client does. There's nothing in the HTTP standard that supports meddling with the proper operation of the "back" function.
A quality security system such as the J2EE standard one won't care if they hit "Back", because the session will have been logged out and any attempt to reload a secured URL will simply bounce the user to the login screen.