• Post Reply Bookmark Topic Watch Topic
  • New Topic

after logout back button is working returning to authenticated page

 
vikas gunti
Greenhorn
Posts: 19
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on simple html and servlet based application , in that I wrote code for logout servlet as follows

response.setContentType("text/html");
request.getRequestDispatcher("Nextpage.jsp").include(request, response);
response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");

request.getSession().invalidate();
System.out.println(request.getSession(false));
response.sendRedirect(request.getContextPath() + "/login.html");

This code invalidating the session correctly but after logout coming to login page and when I pressed the back button it is going to welcome page by creating the new session by it self , I want to restrict the back button after logout help me in this issue.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65519
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do your pages not have filters that disallow viewing when there is no login?
 
vikas gunti
Greenhorn
Posts: 19
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
will you please give me explanation, I am new programmer ,I didn't understand what a filter is? give the solution so the page never goes back after logout
 
Amit Ghorpade
Bartender
Posts: 2856
10
Fedora Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A quick Google search about filters will help you know what filters are. Here is one such link.
Another thing is to use Javascript to intercept the back button and invalidate+redirect.
I am not saying use either of the above, depending on how much you care about the "back" button, you need to add second suggestion after incorporating the first.
 
Dave Tolls
Ranch Hand
Posts: 2271
23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Amit Ghorpade wrote:
Another thing is to use Javascript to intercept the back button and invalidate+redirect.


Not a fan of this at all.
Disabling browser functionality like that is frustrating (and often a bit flaky).
You end up wrestling with how a browser is designed to work, and that never ends well.


Adding a filter to the server is far preferable.
 
Amit Ghorpade
Bartender
Posts: 2856
10
Fedora Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dave Tolls wrote:Disabling browser functionality like that is frustrating (and often a bit flaky).

I concur. Personally I also feel it makes bad user experience. However I was addressing the following requirement.
vikas gunti wrote: give the solution so the page never goes back after logout

Page never goes back = kill the back button.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65519
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are new to all this, you should probably not be building your own security system. I would learn about the security built into the servlet specification and rely upon that.

And, yes, never mess with the browser's back button. It's not going to buy any real level of security, and can easily be circumvented. All you'll do is tick off your legitimate users.
 
Tim Holloway
Bartender
Posts: 18408
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:If you are new to all this, you should probably not be building your own security system.


In fact, unless you are professionally-trained in security details and your sole involvement in the project is the security, you should not be building your own security system.

J2EE/JEE comes with its own professionally-designed, extensively-tested well-documented login and role-based container security system. It can stop attackers before the webapp is even visible to the attacking request.

In contrast, about 95% of all the Do-It-Yourself security systems are nothing more than damp tissue paper and can more often than not be easily defeated by non-technical people in under 15 minutes. Hang around the Ranch for long, and you'll hear me sing that song again. And again. And again. Because it's based on many years of experience. Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.

As for the "Back" button, Alt-LeftArrow, etc. forget it. You don't own those controls, the client does. There's nothing in the HTTP standard that supports meddling with the proper operation of the "back" function.

A quality security system such as the J2EE standard one won't care if they hit "Back", because the session will have been logged out and any attempt to reload a secured URL will simply bounce the user to the login screen.
 
Dave Tolls
Ranch Hand
Posts: 2271
23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:
Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.


I think I've worked there...
 
Tim Holloway
Bartender
Posts: 18408
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dave Tolls wrote:
Tim Holloway wrote:
Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.


I think I've worked there...


ALL of them?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!