servlet会话,注销后,当按下浏览器的后退按钮时,再次显示安全页面
我有一个servlet和一个HTML页面。 如何在注销后阻止用户点击浏览器的后退按钮? 我在stackoverflow中读过相同的问题,但答案是使用浏览器历史记录禁用java脚本或使用页面 – 在http标头中没有缓存。 我们如何使用阻止返回操作的servlet实现它,http-header没有缓存是无用的,因为Firefox表示页面在刷新安全页面两次后再次过期。
我已经完成了一个方法,示例方法只是为了尝试(不是真实的)我的用户名和密码从HTML页面发布到servlet,如果密码和用户名是正确的,servlet将其存储在会话中。 再次请求安全页面时,如果存在会话,则显示安全页面并且用户从登录页面显示的会话中注销所有正在工作的ID,除非用户点击浏览器的后退按钮时注销失败。
如何阻止安全servlet在注销后显示内容,然后在浏览器中按下后退按钮?
welcome.html的src
servlet的src
public class Sessionexample extends HttpServlet implements Servlet , Filter { private static final long serialVersionUID = 1L; public String username =null, password=null; public HttpSession session ; public PrintWriter pw; int do_get =0 ; /** * Default constructor. */ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); if (session == null || session.getAttribute("username") == null) { response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page. response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. response.setHeader("Pragma", "no-cache"); // HTTP 1.0. response.setDateHeader("Expires", 0); } else { chain.doFilter(req, res); } } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { do_get=1; pw = response.getWriter(); session=request.getSession(false); try { if(request.getParameter("action")!=null) { if(request.getParameter("action").equals("logout")) { session = request.getSession(true); session.setAttribute("username", ""); session.setAttribute("password", ""); session.invalidate(); response.sendRedirect("welcome.html"); return; } } else if(session !=null) { if( (String)session.getAttribute(username)!=null) username = (String)session.getAttribute("username").toString(); if( (String)session.getAttribute("password") !=null) password =session.getAttribute("password").toString(); pw.write("not new-"); serviced(request,response); } } catch(Exception ex) { pw.write("Error-"+ex.getMessage()); } } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { if(request.getParameter("username")!=null && request.getParameter("password")!=null ) { username = request.getParameter("username").toString(); password = request.getParameter("password").toString(); } serviced(request,response); } protected void serviced(HttpServletRequest request, HttpServletResponse response) throws IOException { response.setContentType("text/html"); pw = response.getWriter(); if( username !=null && password !=null) if( username.equals("admin") && password.equals("a")) { try { if(do_get==0) { session = request.getSession(true); session.setAttribute("username", "admin"); session.setAttribute("password", "a"); } pw.write("You are logged in : "+username+"
"+" Logout
"); } catch(Exception ex) { response.sendRedirect("welcome.html"); } } else { response.sendRedirect("welcome.html"); } else response.sendRedirect("welcome.html"); } @Override public boolean accept(Object arg0) throws IOException { // TODO Auto-generated method stub return false; } }
您的filter仅在welcome.html上设置no-cache标头,而不是在受限制的页面上设置。 因此,只要浏览器通过后退按钮请求任何受限制的页面,它就可能显示缓存版本。 您的filter需要在所有受限页面上设置无缓存标头。
所以,你需要改变
if (session == null || session.getAttribute("username") == null) { response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page. response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. response.setHeader("Pragma", "no-cache"); // HTTP 1.0. response.setDateHeader("Expires", 0); } else { chain.doFilter(req, res); }
至
if (session == null || session.getAttribute("username") == null) { response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page. } else { response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. response.setHeader("Pragma", "no-cache"); // HTTP 1.0. response.setDateHeader("Expires", 0); chain.doFilter(req, res); }