0

At signout of user, this method is hit. But on pressing back button user data is getting leaked (not getting logged in again).

@RequestMapping(value = {"signout"})
public String signout(HttpServletRequest req, ModelMap map) {
    this.objSession = req.getSession(false);
    if (this.objSession.getAttribute("userid") != null) {
        this.objSession.removeAttribute("userid");
        this.objSession.removeAttribute("usertype");
        // this.objSession.invalidate();

        Cookie c = new Cookie("JSESSIONID", null);
    }
    return "redirect:/home.htm";
}
Nicolas Filotto
  • 39,066
  • 11
  • 82
  • 105
Subhajit
  • 776
  • 1
  • 11
  • 33
  • If the user is logout, his session is destroyed so the behavior that you get is totally expected. Pressing back button will make your browser uses the previous cookie that has been invalidated such that it will be ignored by the sever and will ask to sign in again. BTW the only valid way to cleanup a session is by calling invalidate() – Nicolas Filotto Sep 03 '16 at 14:47
  • @NicolasFilotto i have also used invalidate() but its not helping. BTW thanks. – Subhajit Sep 03 '16 at 14:53
  • maybe I don't get your problem, what should be the expected behavior for you in case the user press the back button and what does he get for now? – Nicolas Filotto Sep 03 '16 at 14:54
  • @NicolasFilotto When user is logged in his data is displayed in those pages. What I want to do is , I want to restrict the back button to display any pages which can only be accesed after log in. – Subhajit Sep 03 '16 at 15:01
  • so you expect the user to get only pages available from an anonymous user (non logged in) right? If so do you do a refresh after clicking the back button because a back button simply get the page from the browser's cache, it doesn't call the server – Nicolas Filotto Sep 03 '16 at 15:04
  • @NicolasFilotto yes , u got it. But how can I remove that cache ? – Subhajit Sep 03 '16 at 15:07
  • this may help http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers – Nicolas Filotto Sep 03 '16 at 15:10
  • @NicolasFilotto Can you please help me out with java code? – Subhajit Sep 26 '16 at 06:51
  • check the accepted answer of the question that I provided above, there is the Java code to be used in a Servlet to prevent the browser to keep the response page in cache – Nicolas Filotto Sep 26 '16 at 07:48

0 Answers0