hI!
I m trying to create a simple login application in jsp where i create a session allows the user to use certain features and then logout. Problem is that after the user logs out. I destroy all session objects and invalidate the session and redirect to welcome page still, on hitting the back button user can see the login pages, which ideally should not be navigable without login.

i have also used this code to disable caching

<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">

<META HTTP-EQUIV="Expires" CONTENT="-1">
</head>
----//body tags
<%response.setHeader("Cache-Control","no-cache"); 

response.setHeader("Pragma","no-cache"); 

response.setDateHeader ("Expires", 0
---//my stuff
%>

This code is on the page where i signout.
n this doesnt seen to help.....does anybody have ne idea how to do this?

You should add to your pages code that checks the session. If it doesn't contain the user information redirect to the login page.
The user can go directly to whatever page they want by providing url at the browser. Then you need to check if there is a session with user information, else like I said redirect to the login page.

hi,
thanx 4 the suggestion, i implemented it..with the result that once i sign out..all the post login pages are still displayed when i hit the back button..but on trying to use any functionality on them i m immediately redirected to the login form...and even on refreshing any one of them i m redirected to login form but i dont want the pages to be even visible on hitting that back button as per my assesment these pages are coming from browser cache....n on using functionality data gets submitted on server who on finding invalid session redirects to login form.....
To be more precise i want a rediff like solution that once u logout there is no way u can see the inbox on hitting back button leave apart using it it just says inavalid session please login and if u hit back again takes u to the login form....
so can ne one suggest what am i missing? or is my assessment wrong?
thanx in advance

Where have you put the code that redirects to the login page and how?

On every post login page i m checking for the session attribute username in an if...all the functionality to be displayed is in that if and in else i m redirecting to the login page....eg code:

<%
        if(session.getAttribute("Username")!=null)
            {
        String username=(String) session.getAttribute("Username");
        out.write(username);
        out.write(" <br> <a href='myaccount.jsp'> Go to My Account</a></td></tr>  <tr><td>  <a href='newsupdates.jsp'> NewsUpdates</a></td></tr>");
        out.write("<tr><td><a href='newaccrequest.jsp'>View New Account Request</a></td></tr>");
        }
        else
            response.sendRedirect("mainpage.jsp");
        %>

where on signing out the following code has already executed

<%
        request.getSession(false);
        session.invalidate();

        response.sendRedirect("mainpage.jsp");
                %>

so the session attributes like username which are established after succesful login are invalidated at sign out.
I hope the code helps in finding the problem.
thanx for the reply n in anticipation of another good one!

You could have this at each page:

<%
        if(session.getAttribute("Username")==null)
            {
response.sendRedirect("mainpage.jsp"); // GO TO LOGIN PAGE
            }
//continue with the rest

This is how I have it. Whenever the user goes to a page, if there is no "session" with the "Username" I redirect to the login page. I do it like this, although I don't believe there is much difference:

RequestDispatcher dispatcher = request.getRequestDispatcher("../index.jsp");
dispatcher.forward(request, response);

You see you cannot prevent the user from just writing the url of the page they want to go at the browser. Anyone can open a browser and write the url of a page that needs login first. But with your code when the page loads, the user is redirected to the login page. I mean once someone hits the 'Back' button they will go back and see what was there. But if the information displayed at that page required some data taken from the request then you will go back.
Example: If you have a form, you submit it and go to a result page. If someone goes 'Back' to that result page they will be asked to resent the data of the request by the browser. When that happens the page reloads and your code will be executed.

<script type="text/javascript">
function noBack(){window.history.forward();}
noBack();
window.onload=noBack;
window.onpageshow=function(evt){if(evt.persisted)noBack();}
window.onunload=function(){void(0);}
</script
put this in your header section of the login page

commented: Thank you sir +0
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.