3 Replies Latest reply on Dec 5, 2005 3:49 PM by starksm64

logout problem ....... please help

hawajoseph Dec 3, 2005 12:44 PM

Hello, I have a problem with the logout functionality on my web application . it is a simple application that uses DatabaseServerLoginModule to login and uses invalidate() in the application and flushOnSessionInvalidation="true" in jboss-web.xml. also each page in the jsp has <%@ page session="false"%> on the very top and the session is opened (if needed) using HttpSession sess = request.getSession(false); where the sess would be used as session in the page.

here is the web.xml snippet:

<security-constraint>
 <web-resource-collection>
 <web-resource-name>Protected Pages </web-resource-name>
 <url-pattern>/select.jsp</url-pattern>
 <url-pattern>/dispatcher</url-pattern> <!--is a servlet-->
 <url-pattern>/logout.jsp</url-pattern>
 <url-pattern>/page.jsp</url-pattern>
 <url-pattern>/Input.jsp</url-pattern>
 <url-pattern>/Output.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>myRole</role-name>
 </auth-constraint>
 </security-constraint>

case:
1) the user logs into the select.jsp and is redirected to the login.jsp. via j_security_check
2) after successful login, the user is redirected to the select.jsp
3) the user does some browsing (on secure pages that are in the url-pattern listed above)
4) when the user wants to logout, the user clicks on a hyperlink logout, which redirects the user to a servlet to the logout method, see below:

private String logout(HttpServletRequest req, HttpServletResponse res)
 throws ServletException, IOException {
 HttpSession session = req.getSession(false);
 if(session != null) {
 session.invalidate();
 }

 return "login.jsp";
}
//this invalidates the session and the session is now null if system.out is used

5) the user is redirected to the login.jsp page. now here is the problem. when I click on the back button using the browser the previous page reappears (even though it is restricted and is in the url-patttern in web.xml)

why is the page reappearing when clicking back button, even though it is secure? shouldnt it show the secure login.jsp again? am I doing something wrong? Im not sure how can I fix this problem?

if someone with more experience and knowlegde could help i would really appreciate it.

1. Re: logout problem ....... please help

starksm64 Dec 5, 2005 1:18 PM (in response to hawajoseph)

How to you know the browser is just not caching the previous page and showing that?
Actions
2. Re: logout problem ....... please help

hawajoseph Dec 5, 2005 2:52 PM (in response to hawajoseph)

Hello again, and thank you for the reply Scott.

I do believe the browser was holding cache. but i wasnt sure if it was the server also.
what I had done to solve my problem was to set the header to no-chache and no store for cache-control. this seems to have solved my problem. but im still not sure if this is an expected/common proceedure for DatabaseServerLoginModule and invalidation().
Actions
3. Re: logout problem ....... please help

starksm64 Dec 5, 2005 3:49 PM (in response to hawajoseph)

Its strictly a browser issue. There is no caching on the server side once a session is invalidated and the current request returns.
Actions

Go to original post