Invalidate session in Logout Servlet [duplicate]

Question

HttpSession session  = request.getSession();
try
{      
    session.removeAttribute("logonSessData");
    session.invalidate();                               
    String pageToForward = request.getContextPath();
    response.sendRedirect(pageToForward);           
}
catch (Exception sqle)
{
    System.out.println("error UserValidateServlet message : " + sqle.getMessage());
    System.out.println("error UserValidateServlet exception : " + sqle);
}

in Logout servlet I wrote above code in doPost and doGet method. After logout it shows login screen and then if I press back button it shows previous screen before logout and then if I click on any page it shows "HTTP Status 500" and now if I press F5 then it's heating login Servlet and getting the full access of user.

How to stop this problem show that after Logout using back button and F5 user can not use any page?

Answer 1

What you are doing is good. Browser is caching the previous pages, and when you click back button it is taking to previous cached page.

You need to add Cache headers which does not allow browser to cache page.

Cache-Control: no-cache

Answer 2

1)When you are clicking on back button on browser you are getting previous page because of browser cache.

2)When you are clicking on any page after backing you are getting status 500 because there is null pointer exception because of session object is invalidate already.

3)When you refresh new request is going to your servlet or JSP, there your are calling request.getSession(); method, which is creating new session object for you.

as a result you are getting full access to all pages again.

To avoid this problem you can follow the below steps.

1)In the application create one servlet Ex:LoginCheckerServlet

2)for the above servlet give url pattern /*

3)So the servlet will be executed for all the request

4)Now in LoginCheckerServlet check for username and password in request parameters

5)If they are coming perform login checking operation and display welcome page

6)If user name password are not coming, there are two meanings

     i)user is already logged in 

    ii)user is trying to access your app illegally

7)Now call request.getSession(false); method which will give you session object is there is session already existing for this user so you can redirect to welcome page with trust on user.

8)request.getSession(false); will give you null value if there is no session existing for this user.

9)In case if you are not getting username and password in request parameters as well as request.getSession(false); is giving you null value means user is trying to access your application without logging in, now you can happily display forbidden page.