问题
When a user is logged on session information is stored. And session information is erased when the user is logged out . But when I hit the browser 's back button user information is displayed. Since session is gone but we can not be sure the user login operation is carried out. How do I resolve this issue ?
----------------------------log out -------------------------------
@RequestMapping(value="logout.htm",method = RequestMethod.GET)
public void logOut(HttpSession session,HttpServletResponse
response,HttpServletRequest request) throws IOException{
final String refererUrl = request.getHeader("Referer");
response.setHeader(refererUrl, "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);
session.removeAttribute("user");
session.invalidate();
response.sendRedirect("index.htm");
}
---------------------------------- login ---------------
@RequestMapping(value="/userLogin",method=RequestMethod.POST)
public @ResponseBody JsonResponse
login(@ModelAttribute(value="user") User user, BindingResult result,HttpServletRequest request,HttpSession session,ModelMap model) throws UnsupportedEncodingException{
JsonResponse res = new JsonResponse();
if(!result.hasErrors()&& userService.findUser(user, request)){
res.setStatus("SUCCESS");
session.setAttribute("user",
new String(user.getUsername().getBytes("iso- 8859-1"), "UTF-8"));
}
else{
res.setStatus("FAIL");
result.rejectValue("username","1");
res.setResult(result.getAllErrors());
}
return res;
}
--------------------------profile --------------------------------------
@RequestMapping(value="myProfile.htm",method = RequestMethod.GET)
public String showmyProfile(@ModelAttribute(value="addUser") User user,Model model,HttpServletRequest request,
HttpServletResponse response,
HttpSession session) throws IOException{
if(session.getAttribute("user")== null){
response.sendRedirect("index");
}
回答1:
i use this method. first create one class that implements Filter and override doFilter() method. code of doFilter() is:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse hsr = (HttpServletResponse) res;
hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
hsr.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(req, res);
}
after use filter in web.xml. this filter is this.
<filter>
<filter-name>noCacheFilter</filter-name>
<filter-class>com.example.NoCacheFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>noCacheFilter</filter-name>
<url-pattern>/secured/*.jsp</url-pattern>// urls that not cached
</filter-mapping>
回答2:
Configure an interceptor inside Servlet Context as this:
<!-- configuration for handling browser back button -->
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**/*"/>
<beans:bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<beans:property name="cacheSeconds" value="0"/>
<beans:property name="useExpiresHeader" value="true"/>
<beans:property name="useCacheControlHeader" value="true"/>
<beans:property name="useCacheControlNoStore" value="true"/>
</beans:bean>
</mvc:interceptor>
</mvc:interceptors>
Note: Don't forget to remove your browser cache while testing your application.
回答3:
In spring-security 4.0 this problem has solved by default.You do not need to write any additional codes,even in security XML configurations.
回答4:
response.setHeader(refererUrl, "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);
The above code clears cache and expiring the session in the server side. But whether session is live or not, it should be verified or handled in your view (HTML or JSP). You can have the following meta tags in your view to say no-cache and no-store
<meta http-equiv="Cache-control" content="no-cache">
or
<META HTTP-EQUIV="Cache-Control" CONTENT="No-Cache,Must-Revalidate,No-Store">
Please refer this for Browser Cache Control
来源:https://stackoverflow.com/questions/26420941/how-handle-browser-back-button-in-spring-mvc