How to prevent refresh after logout?

M

misra.manisha

Hi,

Let me give a brief first. When someone logs in my application with
correct username and password, I set a session attribute, say "user"
with his username.
When he logs out, I invalidate the session and remove the attribute
"user". In each of the protected pages, I check for the session
attribute "user". If it exists, I proceed, else I rdirect to login
page.
Btw, I am also using frames when the user logs in.

Everything is working as I want it to. Except one thing! After the user
logs out and then goes back using "back" button of the browser, the
page displayed says that he has been logged out and needs to login
again. But if he refreshes the page (after going "Back"), the page
reloads with correct information, as if he is already logged in.

What do I do to prevent this?

I am fairly new to JSP. So, maybe I am missing out on something....

Please help.
 
A

Andrew T.

Btw, I am also using frames when the user logs in.
Click to expand...

Using HTML frames introduces all sorts of complications.
Do you see the effect in different browsers?
Do you still see the effect when you don't use frames?

Andrew T.
 
M

misra.manisha

Andrew said:
Using HTML frames introduces all sorts of complications.
Do you see the effect in different browsers?
Do you still see the effect when you don't use frames?

Andrew T.
Click to expand...

Yup! Its the same on IE, Netscape...

Are frames the culprit?
 
M

misra.manisha

Andrew said:
I don't know.
Do you still see the effect when you don't use frames?

Andrew T.
Click to expand...


Yeah... its still the same... even after logout, refresh button reloads
the page with all info...
So, its not the frames...
I guess I need to add something else to my secure pages.
 
N

news reader

The problem could also be because of browser side caching. Are you sure
that the page refresh is actually causing a HTTP request to the server
versus a page fetch from the cache?
One thing I tend to follow is never to allow a "secure" page to be
cached. You can do this by setting the "Cache-Control" header to "no-cache".

-skt
 
M

misra.manisha

Yeah, I have set caching to "no-cache"... but that doesnt seem to be
working..
All my secure pages have following lines on top:

response.setHeader("Cache-Control", "no-cache");
response.setHeader("Cache-Control", "no-store");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);
 
O

Oliver Wong

Hi,

Let me give a brief first. When someone logs in my application with
correct username and password, I set a session attribute, say "user"
with his username.
When he logs out, I invalidate the session and remove the attribute
"user". In each of the protected pages, I check for the session
attribute "user". If it exists, I proceed, else I rdirect to login
page.
Btw, I am also using frames when the user logs in.

Everything is working as I want it to. Except one thing! After the user
logs out and then goes back using "back" button of the browser, the
page displayed says that he has been logged out and needs to login
again. But if he refreshes the page (after going "Back"), the page
reloads with correct information, as if he is already logged in.

What do I do to prevent this?

I am fairly new to JSP. So, maybe I am missing out on something....
Click to expand...

I'm not familiar with JSP, but I can tell you how this is done at the
HTTP and DB level.

Presumably you have a DB with username, password, and other account
information. Instead of using the user name for authentication, generate a
random token (e.g. a random number between 0 and a a hundred billion) and
give that to the user to store as a cookie. Save this number in your DB,
associated with the appropriate user account. Make sure each token you give
out is unique within the DB. For the sake of this example, let's say the
number you generated is 5.

Now, when the user goes to a new page, he'll send you this unique token
id, and then you can search the DB to find out which user it is. So in this
example, you'd SELECT userID FROM TokenUserAssociationTable WHERE Token = 5.

When the user logs out, tell the user to destroy the cookie, and destroy
the corresponding entry in your DB. So even if the user cheats and doesn't
destroy their cookie, if they send back 5, you'll search your DB, and see
that 5 isn't present, and inform them that they're login as expired and they
have to re-enter their username and password.

- Oliver
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to prevent refresh after logout? 1
**NEED HELP** How to refresh animation so the rest of page can load 0
How to retrive payment result value after secure paytabs payment done in PayTabs payment gateway in asp.net 0
How to display input options only after selecting an option from the 'select class' tag JS? 6
swing app, how to make logout after time out 6
Single login/logout for two different websites: How? 1
How to fetch and console.log all items from an associative array 3
AJAX Asyncfileupload - how to refresh updatepanel after UploadedComplete 1

Members online

No members online now.
Total: 33 (members: 0, guests: 33)
Robots: 459

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top