jsp - Prevent user from seeing previously visited secured page after logout -
i have requirement end user should not able go restricted page after logout/sign out. end user able browser button, visiting browser history or re-entering url in browser's address bar.
basically, want end user should not able access restricted page in way after sign out. how can achieve best? can disable button javascript?
you can , should not disable browser button or history. that's bad user experience. there javascript hacks, not reliable , not work when client has js disabled.
your concrete problem requested page been loaded browser cache instead of straight server. harmless, indeed confusing enduser, because s/he incorrectly thinks it's coming server.
you need instruct browser not cache all restricted jsp pages (and not logout page/action itself!). way browser forced request page server instead of cache , hence login checks on server executed. can using filter sets necessary response headers in dofilter()
method:
@webfilter public class nocachefilter implements filter { @override public void dofilter(servletrequest req, servletresponse res, filterchain chain) throws ioexception, servletexception { httpservletresponse response = (httpservletresponse) res; response.setheader("cache-control", "no-cache, no-store, must-revalidate"); // http 1.1. response.setheader("pragma", "no-cache"); // http 1.0. response.setdateheader("expires", 0); // proxies. chain.dofilter(req, res); } // ... }
map filter
on url-pattern
of interest, example *.jsp
.
@webfilter("*.jsp")
or if want put restriction on secured pages only, should specify url pattern covers secured pages. example, when in folder /app
, need specify url pattern of /app/*
.
@webfilter("/app/*")
even more, can job in same filter
you're checking presence of logged-in user.
don't forget clear browser cache before testing! ;)
Comments
Post a Comment