tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reynir Hübner <>
Subject RE: no cache - the browser back button
Date Fri, 28 Jun 2002 17:14:56 GMT
the problem you are dealing with is the fact that the browser does not reload pages when you
press the back button.

the only solution after the following :  

the user logs out (session.invalidate()).
the user presses back
if the user presses any link or submits any form on the page, the request must be Validated,
to see if the user is logged on, and display a logon page instead of executing some things
that the logged on user should only be able to execute.

you can decrese the possibility that the user goes backwards in history of the browser, by
deleting the history with client-side-javascript, but there is always the possibility that
the user will have this page in his history (different browsers.etc), so the only real way
to take care of this is what I mentioned above, check in every user-specific procedure, if
the user is logged on, and display an error page or logon page if the user is not.

hope it helps

> -----Original Message-----
> From: Paul Phillips []
> Sent: 28. júní 2002 17:10
> To: Tomcat Users List
> Subject: no cache - the browser back button
> Hello
> I have written a simple servlet-jsp application that uses 
> sessions and form 
> based authentication using the container security.  It is 
> running under 
> Tomcat 4.03
> I have implemented a logout page that has, as its last line:
> mysession.invalidate().
> This seems to close  this session just fine - I can go to the 
> login page 
> and login again.
> However, I have noticed that if I am on the logout page, and 
> press the back 
> button, I get the previous page from the cache.  If I try to click on 
> anything on that previous page, it bumps me out to the login page, 
> indicating that the session I am trying to use has expired.
> This is good.
> However, I don't even want the back button to allow the user 
> to go back to 
> a previous page at all.
> I have put this code at the top of the jsp page before the 
> logout page:
> response.setHeader("Cache-Control","no-store"); 
> response.setHeader("Pragma","no-cache"); 
> response.setDateHeader ("Expires", 0);  
> This does not prevent the problem.  I have tried "no-cache" 
> instead of 
> "no-store". Still doesn't work.  I have tried moving the code to the 
> servlet that drives this jsp (mvc).  Still no luck.
> I have tried this with both Microsoft Explorer 5 and Netscape 
> 6 on a Mac 
> and I can't get either to work.
> What am I doing wrong?  How can I accomplish this?
> Thanks
> Paul Phillips
> --
> To unsubscribe, e-mail:   
> <>
> For additional commands, e-mail: 
> <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message