How to prevent a user from seeing previous users' info by hitting the "Back" button [duplicate]

Question

I am developing a java web app using servlet, in order to prevent user from hitting the back button to see previous users' info, I have the following code :

      protected void processRequest(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException
      {        
        HttpSession session=request.getSession(true);

        response.setContentType("text/html");
        response.setHeader("Cache-Control","no-cache,no-store");
        response.setDateHeader("Expires",0);
        response.setHeader("Pragma","no-cache");

        ......

        //    if (!User_Logged_In)
        session.invalidate();
      }

Besides I also have the following code in the file : web/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
......
<filter>
  <filter-name>ResponseHeaderFilter</filter-name>
  <filter-class>ResponseHeaderFilter</filter-class>
  <init-param>
    <param-name>Cache-Control</param-name>
    <param-value>private,no-cache,no-store</param-value>
   </init-param>
  <init-param>
    <param-name>Pragma</param-name>
    <param-value>no-cache</param-value>
   </init-param>
  <init-param>
    <param-name>Expires</param-name>
    <param-value>0</param-value>
   </init-param>
</filter>

</web-app>

And the ResponseHeaderFilter.java looks like this :

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;

public class ResponseHeaderFilter implements Filter
{
  FilterConfig fc;

  public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain) throws IOException,ServletException
  {
    HttpServletResponse response=(HttpServletResponse)res;

    for (Enumeration e=fc.getInitParameterNames();e.hasMoreElements();)        // Set the provided HTTP response parameters
    {
      String headerName=(String)e.nextElement();
      response.addHeader(headerName,fc.getInitParameter(headerName));
    }
    chain.doFilter(req,response);                                              // Pass the request/response on
  }

  public void init(FilterConfig filterConfig)
  {
    this.fc=filterConfig;
  }

  public void destroy()
  {
    this.fc=null;
  }
}

So far it's still not working correctly. The back button will bring up a warning window saying the data has expired, it asks if the user wants to repost it. If you choose yes, it will still display the previous pages info. What am I doing wrong? What's the fix ?

Frank

---

Yes, I am developing a web app for a PC in public place, if user B hits the back button he might see user A's private info.

I was trying to use session id with servlet, but how to do it, any sample code ?

I also tried the following :

<Html>
<Head>...</Head>
<Body onLoad=document.execCommand("ClearAuthenticationCache","false")>
......
<script type="text/javascript">
  // Clear current credentials : Requires IE6 SP1 or later
  // document.execCommand("ClearAuthenticationCache");
    document.execCommand("ClearAuthenticationCache","false");
  </script>
......
</Html>

It works for IE but but Firefox.

Answer 1

How will hitting the back button cause the user to see another user's data? What is your use case? Is it designed for a public terminal, where each user submits data and then leaves? In this case, associate each input with a unique session id. Keep track of valid session ids in your server. Once the input is submitted, remove that session id from the valid ids. If it comes up again, then don't display the information.

Answer 2

Your problem is that you're trying to keep the client from seeing what's on his or her own computer. You can't keep them from looking at their browser cache. You can't keep them from disabling JavaScript (and thus your scripting code). You can't keep them from using a browser that doesn't observe that "repost" convention that you mention.

This is not a problem that can be solved with JavaScript or a server-side solution. That part of why "breaking the back button" is frowned upon: it doesn't actually solve anything.

Answer 3

Breaking the back button is a cardinal sin of web development.

but you could try a bit of java script in the onload that refreshed the details according to the currently logged in session.