Home » Java » servlet session , after logout , when back button of browser is pressed , again the secure page is shown [duplicate]

servlet session , after logout , when back button of browser is pressed , again the secure page is shown [duplicate]

Posted by: admin December 28, 2021 Leave a comment

Questions:

I have a servlet and a HTML page. How can I prevent the user from hitting the back button of the browser after logout? I have read the same question in stackoverflow , but the answers are using browser history disable with java script or using page–no cache in http headers. How can we implement it using servlets that prevent the go back action, the http-header no cache is useless as Firefox says the page is expired when it is refreshed two times again the secure page is shown.

I have done in a way , sample method just for a try (not real)
My username and password are posted to the servlet from HTML page the servlet stores this in a session if the password and username are correct.
When again the secure page is requested, if session exists the secure page is shown and id the user log outs from the session the login page is show all are working except the logout fails if the user hits back button of the browser.

How can we prevent the secure servlet from showing the content after logout and then back button is pressed in the browser ?

src of welcome.html

<html>
<body>

<form method="POST" action="Sessionexample">
<div align="center">
<table border="1"   style="border-collapse: collapse">
    <tr>
        <td>Username</td>
        <td><input type="text" name="username" size="20"></td>
    </tr>
    <tr>
        <td>Password</td>
        <td><input type="text" name="password" size="20"></td>
    </tr>
    <tr>
        <td height="24">&nbsp;</td>
        <td height="24">&nbsp;</td>
    </tr>
    <tr>
        <td>&nbsp;</td>
        <td><input type="submit" value="Submit" name="B1"></td>
    </tr>
</table>
</div>
</form>
</body>
</html>

src of the servlet

public class Sessionexample extends HttpServlet implements Servlet , Filter {
    private static final long serialVersionUID = 1L;
    public String username =null, password=null;
    public HttpSession session ;
    public PrintWriter pw;
    int do_get =0 ;
    /**
     * Default constructor. 
     */


    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        HttpSession session = request.getSession(false);         
        if (session == null || session.getAttribute("username") == null) {
            response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
            response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
            response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
            response.setDateHeader("Expires", 0);
        } else {
            chain.doFilter(req, res);  
        }
    }


    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
    {

        do_get=1;
        pw = response.getWriter();
        session=request.getSession(false);
        try
        {
            if(request.getParameter("action")!=null)
            {
                if(request.getParameter("action").equals("logout"))
                {

                    session = request.getSession(true);
                    session.setAttribute("username", "");
                    session.setAttribute("password", "");
                    session.invalidate();
                     response.sendRedirect("welcome.html");
                    return; 
                }
            }
            else
            if(session !=null)
                {
                 if( (String)session.getAttribute(username)!=null)
                username = (String)session.getAttribute("username").toString();
                if( (String)session.getAttribute("password") !=null)
                 password =session.getAttribute("password").toString();
                pw.write("not new-");
                serviced(request,response);
                }

        }
        catch(Exception ex)
        {
            pw.write("Error-"+ex.getMessage());
        } 

    }

    /**
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
     */
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
    {

        if(request.getParameter("username")!=null && request.getParameter("password")!=null )
        {
             username = request.getParameter("username").toString();
             password =  request.getParameter("password").toString(); 
        } 

        serviced(request,response);

    }


    protected void serviced(HttpServletRequest request, HttpServletResponse response) throws IOException
    {

            response.setContentType("text/html");

            pw = response.getWriter();  
        if( username !=null && password !=null)
            if( username.equals("admin") && password.equals("a"))
            {

                try
                {

                    if(do_get==0)
                    {
                session = request.getSession(true);
                session.setAttribute("username", "admin");
                session.setAttribute("password", "a");
                    }               
                pw.write("You are logged in : "+username+"  <br/> "+"<a href='?action=logout'><h1>   Logout </h1> </a>");

                }
                catch(Exception ex)
                {
                                        response.sendRedirect("welcome.html");

                }

            }
            else
            {
            response.sendRedirect("welcome.html");
            }
            else
                response.sendRedirect("welcome.html");
    }

    @Override
    public boolean accept(Object arg0) throws IOException {
        // TODO Auto-generated method stub
        return false;
    }       

}
Answers:

Your filter is setting the no-cache headers on the welcome.html only, not on the restricted pages. So whenever the browser requests any of those restricted pages via back button, it will likely show up the cached version. Your filter needs to set the no-cache headers on all restricted pages.

So, you need to change

    if (session == null || session.getAttribute("username") == null) {
        response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        response.setDateHeader("Expires", 0);
    } else {
        chain.doFilter(req, res);  
    }

to

    if (session == null || session.getAttribute("username") == null) {
        response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
    } else {
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        response.setDateHeader("Expires", 0);
        chain.doFilter(req, res);  
    }