How handle browser back button in spring mvc

Question

When a user is logged on session information is stored. And session information is erased when the user is logged out . But when I hit the browser 's back button user information is displayed. Since session is gone but we can not be sure the user login operation is carried out. How do I resolve this issue ?

  ----------------------------log out -------------------------------

   @RequestMapping(value="logout.htm",method = RequestMethod.GET)
   public void logOut(HttpSession session,HttpServletResponse                 
   response,HttpServletRequest request) throws IOException{
    final String refererUrl = request.getHeader("Referer");
    response.setHeader(refererUrl, "no-cache");
    response.setHeader("Cache-Control", "no-cache");
    response.setDateHeader("Expires", 0);
    session.removeAttribute("user");
    session.invalidate();
    response.sendRedirect("index.htm");
   }
    ---------------------------------- login ---------------
  @RequestMapping(value="/userLogin",method=RequestMethod.POST)

  public @ResponseBody JsonResponse
 login(@ModelAttribute(value="user") User user, BindingResult     result,HttpServletRequest request,HttpSession session,ModelMap model) throws    UnsupportedEncodingException{

    JsonResponse res = new JsonResponse();

    if(!result.hasErrors()&& userService.findUser(user, request)){
        res.setStatus("SUCCESS");
        session.setAttribute("user",
      new String(user.getUsername().getBytes("iso-  8859-1"), "UTF-8"));
      }
         else{
        res.setStatus("FAIL");
        result.rejectValue("username","1");
        res.setResult(result.getAllErrors());
       }
      return res;
   }
   --------------------------profile --------------------------------------

    @RequestMapping(value="myProfile.htm",method = RequestMethod.GET)
   public String showmyProfile(@ModelAttribute(value="addUser") User user,Model          model,HttpServletRequest request,
        HttpServletResponse response,
         HttpSession session) throws IOException{

        if(session.getAttribute("user")== null){
        response.sendRedirect("index");
    }

Answer 1

i use this method. first create one class that implements Filter and override doFilter() method. code of doFilter() is:

 @Override
 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse hsr = (HttpServletResponse) res;
hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
hsr.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(req, res);
 }

after use filter in web.xml. this filter is this.

  <filter>
    <filter-name>noCacheFilter</filter-name>
    <filter-class>com.example.NoCacheFilter</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>noCacheFilter</filter-name>
  <url-pattern>/secured/*.jsp</url-pattern>// urls that not cached 
 </filter-mapping>

Answer 2

Configure an interceptor inside Servlet Context as this:

<!--  configuration for handling browser back button  -->
<mvc:interceptors>
    <mvc:interceptor>
        <mvc:mapping path="/**/*"/>
        <beans:bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
            <beans:property name="cacheSeconds" value="0"/>
            <beans:property name="useExpiresHeader" value="true"/>
            <beans:property name="useCacheControlHeader" value="true"/>
            <beans:property name="useCacheControlNoStore" value="true"/>
        </beans:bean>
    </mvc:interceptor>
</mvc:interceptors>

Note: Don't forget to remove your browser cache while testing your application.

Answer 3

In spring-security 4.0 this problem has solved by default.You do not need to write any additional codes,even in security XML configurations.

Answer 4

response.setHeader(refererUrl, "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);

The above code clears cache and expiring the session in the server side. But whether session is live or not, it should be verified or handled in your view (HTML or JSP). You can have the following meta tags in your view to say no-cache and no-store

<meta http-equiv="Cache-control" content="no-cache">

or

<META HTTP-EQUIV="Cache-Control" CONTENT="No-Cache,Must-Revalidate,No-Store">

Please refer this for Browser Cache Control