3

I am using Tomcat web container. I have an admin console app implemented. When I click on logout a session attribute is made null and invalidated see the below code in my logout.jsp file. After logout the user is taken to the login page. In fireFox I click back button I have the below issues. First I do not get page expired page like in IE Second when I click on any of the link in the page , I check for the sessioon attribute which I made null in logout. The value of that is "success". I am totally confused with this behaviour. Is it issue with firefox or tomcat session management.

I am sure I need more knowledge to understand this behaviour. Appreciate your help in letting me know what happens here...

<%@ page session="false" %>
<%
response.setHeader("cache-control","no-cache");
response.setHeader("Pragma","no-cache");
response.setDateHeader("Expires",-1);

%>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <% 
    HttpSession session = request.getSession(false);
    System.out.println("session"+session);
    session.setAttribute("loginStatus",null);
    session.invalidate();
  %>
JoseK
  • 30,355
  • 14
  • 98
  • 129
Sandeep
  • 526
  • 2
  • 5
  • 17

1 Answers1

4

The headers are incomplete. You need the following set of headers:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

Escpecially the must-revalidate entry fixes this particular FF issue.

See also

Unrelated to the actual problem, I've a few comments about this piece of code:

  • You should prefer UTF-8 over ISO-8859-1 to gain world domination.
  • Raw Java code in a JSP page is poor practice. The response headers needs to be set in a Filter and the logout needs to happen (indirectly) in a Servlet.
  • Calling getSession(false) with false may return a null session which in turn can lead to a NullPointerException in certain circumstances. Get rid of false or at least add a nullcheck.
  • Setting attribute to null right before calling invalidate() is unnecessary. The invalidate() call already trashes all the attribtues.

Hope you learn something from this.

Community
  • 1
  • 1
BalusC
  • 992,635
  • 352
  • 3,478
  • 3,452