servlet session , after logout , when back button of browser is pressed , again the secure page is shown
Your filter is setting the no-cache headers on the welcome.html only, not on the restricted pages. So whenever the browser requests any of those restricted pages via back button, it will likely show up the cached version. Your filter needs to set the no-cache headers on all restricted pages.
So, you need to change
if (session == null || session.getAttribute("username") == null) {
response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0);
} else {
chain.doFilter(req, res);
}
to
if (session == null || session.getAttribute("username") == null) {
response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
} else {
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0);
chain.doFilter(req, res);
}
cc4re
Cc4rE [A polyglot in programming] Software Engineer , Non-Artistic developer , currently working as a Member of the Technical Team at an International Organization . I love coding ,as a programmer . My interest is to contribute more to the Open source development , I use Linux and Windows for my development.I works frequently on Java , js , GCC and Dot-net , as an Independent developer i have worked on many languages , Created applications on RAD and Low level driver interfacing . You can connect me anytime for any doubts and queries related to Programming.
Updated on December 08, 2020Comments
-
cc4re over 3 years
I have a servlet and a HTML page. How can I prevent the user from hitting the back button of the browser after logout? I have read the same question in stackoverflow , but the answers are using browser history disable with java script or using page--no cache in http headers. How can we implement it using servlets that prevent the go back action, the http-header no cache is useless as Firefox says the page is expired when it is refreshed two times again the secure page is shown.
I have done in a way , sample method just for a try (not real) My username and password are posted to the servlet from HTML page the servlet stores this in a session if the password and username are correct. When again the secure page is requested, if session exists the secure page is shown and id the user log outs from the session the login page is show all are working except the logout fails if the user hits back button of the browser.
How can we prevent the secure servlet from showing the content after logout and then back button is pressed in the browser ?
src of welcome.html
<html> <body> <form method="POST" action="Sessionexample"> <div align="center"> <table border="1" style="border-collapse: collapse"> <tr> <td>Username</td> <td><input type="text" name="username" size="20"></td> </tr> <tr> <td>Password</td> <td><input type="text" name="password" size="20"></td> </tr> <tr> <td height="24"> </td> <td height="24"> </td> </tr> <tr> <td> </td> <td><input type="submit" value="Submit" name="B1"></td> </tr> </table> </div> </form> </body> </html>src of the servlet
public class Sessionexample extends HttpServlet implements Servlet , Filter { private static final long serialVersionUID = 1L; public String username =null, password=null; public HttpSession session ; public PrintWriter pw; int do_get =0 ; /** * Default constructor. */ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); if (session == null || session.getAttribute("username") == null) { response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page. response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. response.setHeader("Pragma", "no-cache"); // HTTP 1.0. response.setDateHeader("Expires", 0); } else { chain.doFilter(req, res); } } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { do_get=1; pw = response.getWriter(); session=request.getSession(false); try { if(request.getParameter("action")!=null) { if(request.getParameter("action").equals("logout")) { session = request.getSession(true); session.setAttribute("username", ""); session.setAttribute("password", ""); session.invalidate(); response.sendRedirect("welcome.html"); return; } } else if(session !=null) { if( (String)session.getAttribute(username)!=null) username = (String)session.getAttribute("username").toString(); if( (String)session.getAttribute("password") !=null) password =session.getAttribute("password").toString(); pw.write("not new-"); serviced(request,response); } } catch(Exception ex) { pw.write("Error-"+ex.getMessage()); } } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { if(request.getParameter("username")!=null && request.getParameter("password")!=null ) { username = request.getParameter("username").toString(); password = request.getParameter("password").toString(); } serviced(request,response); } protected void serviced(HttpServletRequest request, HttpServletResponse response) throws IOException { response.setContentType("text/html"); pw = response.getWriter(); if( username !=null && password !=null) if( username.equals("admin") && password.equals("a")) { try { if(do_get==0) { session = request.getSession(true); session.setAttribute("username", "admin"); session.setAttribute("password", "a"); } pw.write("You are logged in : "+username+" <br/> "+"<a href='?action=logout'><h1> Logout </h1> </a>"); } catch(Exception ex) { response.sendRedirect("welcome.html"); } } else { response.sendRedirect("welcome.html"); } else response.sendRedirect("welcome.html"); } @Override public boolean accept(Object arg0) throws IOException { // TODO Auto-generated method stub return false; } } -
cc4re about 11 yearsi think chaining is needed !!