prohibit the user from going back to a secure page after logout,jsp with firefox 5.0
I want to prohibit the user from going back to a secure page after logout when he/she clicks on the back button on the browser(in my case it is Mozilla Firefox 5.0). Found two ways, setting proper headers:
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "No-cache");
response.setDateHeader("Expires开发者_如何学Python", 0);
or disabling the back button using javascript:
<script type="text/javascript">
window.history.forward(1);
</script>
actually the javascript doesn't disable the back button,just forwards the user one page ahead in the history,should serve the purpose.
But neither works. My logout page is contains the following code:
<script type="text/javascript">
window.history.forward(1);
</script>
<% HttpSession ses=request.getSession(false);
ses.invalidate();
String referer = request.getHeader("Referer");
response.sendRedirect(referer);
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "No-cache");
response.setDateHeader("Expires", 0);
%>
Doesn't serve my purpose.Please help.
Those headers needs to be set on all the secured pages themselves, not on the JSP where you're placing the logout logic which actually belongs in a servlet. Even more, since you're sending a redirect here, those headers have totally no effect.
The proper approach would be to map a Filter
on the desired URL pattern which does the job. I'm sure that the majority of the answers which you initially found here are also suggesting that :)
See also:
- Prevent user from seeing previously visited secured page after logout
精彩评论