开发者

Java EE/Java Browser Security

I have a problem with my 开发者_StackOverflow社区Java EE (Tomcat) java based web application.

  • user logs in to website
  • user viewing page a ssl page in our web site
  • user logs off, session invalidated
  • user gets redirected to login page (ssl)
  • user hits the back button and is able to get to the page in step 2.

How is this avoidable?


Set the Cache-Control header on those pages to

no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0

(also Expires, Last-Modified, Pragma)

see this question for how to do it


The user is only recieving a cached copy of the logged in page. If they try to do anything on that page, they will find the session has ended.

One possible method of stopping this (although it may not be the best) is to add some JS to each page that will redirect the user to the log-in page if the session has ended.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜