4

This is the code that I have written in login page

HttpSession session = request.getSession(true);
session.setAttribute("name", user1);        
String nme=(String) session.getAttribute("name");

And, This is the code for logout.jsp

<% request.getSession().invalidate();

OR

if(session!=null){
   session=null;
}

OR

 request.getSession().setAttribute("name", null); //it just assigns null to attribute

 response.sendRedirect("login.jsp");
 %>

session is creating, But after logout button is working.... I want that back button should not work.

icza
  • 389,944
  • 63
  • 907
  • 827
Madhavi Talla
  • 205
  • 2
  • 5
  • 12
  • Browser's back button will load the page from its cache(no request to server). So the server side validation won't work here. –  Oct 21 '14 at 05:05
  • The session variable should be checked on the server side, so it should not be relevant as to whether the user pushes the back button or not. – Scary Wombat Oct 21 '14 at 05:07
  • possible duplicate of [java session management](http://stackoverflow.com/questions/1835764/java-session-management) – lxcky Oct 21 '14 at 05:12

3 Answers3

6

To logout or invalidate from the current session, you have the correct code in place, as below.

request.getSession().invalidate();

Now, after you hit the back button of the browser, it is loading the page from the cache. So in order to take care of this situation you can do below 2 things.

  1. Manipulate the browser history using HTML 5's History API so that when you click the back button it goes to the desired location as you manipulate it.

  2. Suggest user to close the page, as general secured websites do after successful session logout, like bank websites & financial websites.

Alternatively, you can write & configure an interceptor class in servlet container/server end to manipulate the cache by adding below parameters in the response.

        response.setHeader("Cache-Control", "no-cache");
        response.setHeader("Pragma", "no-cache");
        response.setHeader("Expires", "-1");

Hope this helps you out.

Shishir Kumar
  • 7,981
  • 3
  • 29
  • 45
  • HttpServletRessponse response = ServletActionContext.getResponse(); – Madhavi Talla Oct 21 '14 at 05:26
  • You need to do this in an interceptor and not in the JSP. Interceptor will intercept the response and write these parameters before JSP receives the response. If you do this in JSP then it will not have any effect on the cache as you are doing this after JSP has already read & processed it. – Shishir Kumar Oct 21 '14 at 06:15
  • ServletActionContext giving error. I think it is in struts. right – Madhavi Talla Oct 21 '14 at 09:13
  • Yes, I had already corrected the example. You need to get hold of response object based upon your application architecture. – Shishir Kumar Oct 21 '14 at 09:26
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/63396/discussion-between-shishir-kumar-and-madhavi-talla). – Shishir Kumar Oct 21 '14 at 10:54
0

just remove the attribute from session, and check if it exists.....

request.getSession.removeAttribute("name")

and check like:

if(request.getSession.getAttribute("name")==null){

}
Nishad K Ahamed
  • 1,374
  • 15
  • 25
0

Your problem is not with the session, as it will not be used in page that has already been loaded and simply loaded from the cache (back button functionality)

Consider utilizing localtion.href.replace in you client code.

localtion.href.replace(url):Replace the current document with the one at the provided URL. The difference from the assign() method is that after using replace() the current page will not be saved in session history, meaning the user won't be able to use the Back button to navigate to it.

Scary Wombat
  • 44,617
  • 6
  • 35
  • 64