3 Replies Latest reply on Dec 5, 2005 3:49 PM by Scott Stark

    logout problem ....... please help

    Joseph Hawa Newbie

      Hello, I have a problem with the logout functionality on my web application . it is a simple application that uses DatabaseServerLoginModule to login and uses invalidate() in the application and flushOnSessionInvalidation="true" in jboss-web.xml. also each page in the jsp has <%@ page session="false"%> on the very top and the session is opened (if needed) using HttpSession sess = request.getSession(false); where the sess would be used as session in the page.

      here is the web.xml snippet:

       <web-resource-name>Protected Pages </web-resource-name>
       <url-pattern>/dispatcher</url-pattern> <!--is a servlet-->

      1) the user logs into the select.jsp and is redirected to the login.jsp. via j_security_check
      2) after successful login, the user is redirected to the select.jsp
      3) the user does some browsing (on secure pages that are in the url-pattern listed above)
      4) when the user wants to logout, the user clicks on a hyperlink logout, which redirects the user to a servlet to the logout method, see below:

      private String logout(HttpServletRequest req, HttpServletResponse res)
       throws ServletException, IOException {
       HttpSession session = req.getSession(false);
       if(session != null) {
       return "login.jsp";
      //this invalidates the session and the session is now null if system.out is used

      5) the user is redirected to the login.jsp page. now here is the problem. when I click on the back button using the browser the previous page reappears (even though it is restricted and is in the url-patttern in web.xml)

      why is the page reappearing when clicking back button, even though it is secure? shouldnt it show the secure login.jsp again? am I doing something wrong? Im not sure how can I fix this problem?

      if someone with more experience and knowlegde could help i would really appreciate it.