struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurie Harper <>
Subject Re: How to prevent URL cached
Date Fri, 02 Dec 2005 00:55:33 GMT
Or use container managed security (which, I think, can be used for 
static as well as dynamic content?)... Like I said, there are a lot of 
options... ;-)

Michael Jouravlev wrote:
> Did you say pages are static (HTML)? Or they are JSPs? Or does request
> pass through Struts action? If they are not plain HTML, then in your
> action or in JSP page check if user is logged in. If not, redirect to
> login page.
> Here is the simple scriptlet, that you should stick in the beginning
> of every session-related page:
> <%
>    if (session.getAttribute("USER") == null) {
>        response.sendRedirect("");
>    }
> %>
> Or you may want to write a guard tag, see Ted Husted's MailReader
> sample application for details. Or you may want to write a servlet
> filter.
> Michael.
> On 12/1/05, info3853 Bush <> wrote:
>> Yes, I did that. Now all pages are blank. What I really wish is that after logout,
when user hit "back" button, the page goes back to login page, never visit all pages visited
before even just blank page now.
>> Michael Jouravlev <> wrote:  On 12/1/05, info3853 Bush wrote:
>>> That's true. This topic belongs to web application security.
>>> The thing is that all static content are shown when you used the "back" button.
Of course, you can't click any link since the session is already invalidated.

>> Mark page as non-cachable with "no-cache, no-store" cache-control
>> header. You may want to add some other headers too, like
>> must-revalidate. When you hit Back, the browser would try to reload a
>> page, here you would show the error.
>> Michael.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message