Java EE/Java Browser Security
I have a problem with my 开发者_StackOverflow社区Java EE (Tomcat) java based web application.
- user logs in to website
- user viewing page a ssl page in our web site
- user logs off, session invalidated
- user gets redirected to login page (ssl)
- user hits the back button and is able to get to the page in step 2.
How is this avoidable?
Set the Cache-Control
header on those pages to
no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
(also Expires
, Last-Modified
, Pragma
)
see this question for how to do it
The user is only recieving a cached copy of the logged in page. If they try to do anything on that page, they will find the session has ended.
One possible method of stopping this (although it may not be the best) is to add some JS to each page that will redirect the user to the log-in page if the session has ended.
精彩评论