Hi..I wish to prevent users from entering the web pages of my application again using back button once they've logged out.How can i achieve this?..I do not wish to use no-cache,history() etc as they're not fool proof.
Also i want to know how can i prevent users from directly entering the web page by giving its url in the address bar i.e. if such an attempt is made then user must be redirected to the login page.I am using jsp and java.Thx

Well, nothing is fool proof.

You need to use the no-cache and expires pragmas/headers, and use some JavaScript to wipe out the history on the browser (Google "javascript history", although this might also be deactivated).

But, no matter what you do, you need to have a session check on each and every page (easiest to use a filter) so that the user, at least, can't do anything on the pages.

I got the part to deny access without login.
Thx :)..bt how can i set session variable(userid in my application) to null after i sign out so that back button doesn't work or user is shown a page askin him to sign in again?.. is there any other way?..

You invalidate the session. I would have to look up how to do it in JSP myself, but if your using a servlet, or a filter to accomplish the logout, then that is going to be Java code, and there it is

yourHttpSessionVariable.invalidate();

I hope your not starting every page with the equivalent of

HttpSession session = request.getSession();
// or
HttpSession session = request.getSession(true);

as those create a new session if no valid session already exists. That method should only be used on the initial login every other should use

HttpSession session = request.getSession(false);

this one will return null if there is no valid session.

The best place to do this is in a Filter, as there you can redirect the user to a login site (when no valid session exists), and once the user is logged in the Filter can then redirect back to the site the user originally wanted.

Comments
You are a star :cool:

Hi..Thx for the replies.I do find them helpful.

Im writing this in a file signout.jsp where user is directed on clicking sign out------

<% 	
	session.setAttribute("userid",null);
%>

anf performin the followin test in a redirect.jsp file-------

<%

Object uid= session.getAttribute("userid");
if(uid == null)
	{
		String redirectURL="http://localhost:8085/ankita/goback.jsp";
		response.sendRedirect(redirectURL);
	}

%>

goback.jsp is a normal html file askin user to login again.

I have included redirect.jsp in all the web pages of the application.

but i need to perform a separate test for jsp files(of the form processSomething.jsp) that call java functions(contain business logic such as db connection,query runnin etc.)
it is as follows----

if(session.getAttribute("userid")==(null) )

	{%>
		<jsp:forward page="goback.jsp" />
	<%}

and if i try put this piece of code in a commom file that can be included into other pages it shows error saying "cant test after forward".

Guess its getting a little messy...haven't used servlets yet..and filters seem complicated...their deployment etc.How should i go about solving the issue?..Or what i've done is decent enough?..

Hey, i'm using following code on all of my JSPs and it is working.
So, try following code (paste it as the first line of your every JSP)
If it still doesn't work, then error lies somewhere else.
Code:-

<%
 if(session.getAttribute("Name")==null)    <%--"Name" is my session attribute--%>
    {
    %>
    <jsp:forward page="Login.jsp" />   <%--in my project, i'm redirecting user to index--%>
    <%
    }
        else
            {
               // your code
            }
      %>

Edited 3 Years Ago by Dani: Formatting fixed

Without SSL, the only way to prevent the "back" button from being used is to set the no-cache and no-store headers, as well as track the last login for the user. User ~s.o.s~ had a good article describing solutions for preventing malicious users from using the "back" button.

One thing you have to watch out for is that if you store the last log-on as a hidden form element, like the article describes, a malicious user could change that value pretty easily to fake a newer log-on time, thus allowing the back button to work for POST requests. So be aware that none of those solutions are 100% foolproof.

This question has already been answered. Start a new discussion instead.