How to deal with users who click "Back" button after sign out

Question

I show a message:

"You are not logged in"

for guests who click a button "submit" on my page. Surely, for logged in users I want to not show the message. I coded this in this way:

<c:if test="${someCondition}">
addMsgToButtonEvent();
</c:if>

It works (almost) perfectly. But, now when user is logged in and:

click sign out (which is in my header and redirects on another page)
click "Back" button on the browser

The message doesn't appear because my page is not rendered again, addMsgToButtonEvent is not called. I know that I can block "back" button by clearing a history - but this would change too much in business requirements. Is this some soft and effective workaround on this problem?

Edited:

I think the best approach for such problem is invalidating session after sign out. I did it in this way.

possible duplicate of [Prevent user from going back to the previous secured page after logout](http://stackoverflow.com/questions/4194207/prevent-user-from-going-back-to-the-previous-secured-page-after-logout) — BalusC, Dec 20 '11 at 12:53
Does this answer your question? [Prevent user from seeing previously visited secured page after logout](https://stackoverflow.com/questions/4194207/prevent-user-from-seeing-previously-visited-secured-page-after-logout) — Brian Tompsett - 汤莱恩, Aug 02 '20 at 12:55

score 3 · Answer 1 · answered Dec 20 '11 at 09:21

3

I've had similar problems with ASP.Net sites and login controls.

You could add a meta tag to the HTML to tell the browser not to cache it - hence the back button will cause the page to be reloaded from the server correctly:

<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
<meta http-equiv="EXPIRES" content="0">

Hope that might help :)

answered Dec 20 '11 at 09:21

2

This won't work when HTTP response headers with same name are already present. The cache control value is also incomplete and won't work as expected on most browsers (read: non-MSIE browsers). See also http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers/2068407#2068407 – BalusC Dec 20 '11 at 12:52
1

@BalusC I bow to your superior knowledge on the subject :) – Dec 20 '11 at 13:16

score 0 · Answer 2 · answered Dec 20 '11 at 10:22

If caching is problem add the following lines to the top of your JSP

<%
response.setHeader("Cache-Control","no-cache no-store"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>

If that does not solve the problem ... you may want to look at how you are handling display code and session invalidation.

Best approach is:

When you create a session assign an named attribute In order to print the statement check the existence of the named attribute If named attribute is found ... print the message else do not do it On logout ... do session.invalid()

Let me know what worked ... and we can dig deeper into this

The cache control attribute is incomplete. You need a `must-revalidate` along it. See also http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers/2068407#2068407 — BalusC, Dec 20 '11 at 12:53

How to deal with users who click "Back" button after sign out

2 Answers2