logout problem ....... please help
hawajoseph Dec 3, 2005 12:44 PMHello, I have a problem with the logout functionality on my web application . it is a simple application that uses DatabaseServerLoginModule to login and uses invalidate() in the application and flushOnSessionInvalidation="true" in jboss-web.xml. also each page in the jsp has <%@ page session="false"%> on the very top and the session is opened (if needed) using HttpSession sess = request.getSession(false); where the sess would be used as session in the page.
here is the web.xml snippet:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Pages </web-resource-name> <url-pattern>/select.jsp</url-pattern> <url-pattern>/dispatcher</url-pattern> <!--is a servlet--> <url-pattern>/logout.jsp</url-pattern> <url-pattern>/page.jsp</url-pattern> <url-pattern>/Input.jsp</url-pattern> <url-pattern>/Output.jsp</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>myRole</role-name> </auth-constraint> </security-constraint>
case:
1) the user logs into the select.jsp and is redirected to the login.jsp. via j_security_check
2) after successful login, the user is redirected to the select.jsp
3) the user does some browsing (on secure pages that are in the url-pattern listed above)
4) when the user wants to logout, the user clicks on a hyperlink logout, which redirects the user to a servlet to the logout method, see below:
private String logout(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { HttpSession session = req.getSession(false); if(session != null) { session.invalidate(); } return "login.jsp"; } //this invalidates the session and the session is now null if system.out is used
5) the user is redirected to the login.jsp page. now here is the problem. when I click on the back button using the browser the previous page reappears (even though it is restricted and is in the url-patttern in web.xml)
why is the page reappearing when clicking back button, even though it is secure? shouldnt it show the secure login.jsp again? am I doing something wrong? Im not sure how can I fix this problem?
if someone with more experience and knowlegde could help i would really appreciate it.