问题描述
我要求最终用户在注销/退出后不能返回受限页面.但是目前,最终用户可以通过浏览器后退按钮,访问浏览器历史记录甚至通过在浏览器地址栏中重新输入URL来做到这一点.
I have the requirement that the end user should not be able to go back to the restricted page after logout/sign out. But currently the end user is able to do that by the browser back button, visiting browser history or even by re-entering the URL in browser's address bar.
基本上,我希望最终用户退出后不能以任何方式访问受限页面.我怎样才能做到最好?我可以使用JavaScript禁用后退按钮吗?
Basically, I want that the end user should not be able to access the restricted page in any way after sign out. How can I achieve this the best? Can I disable the back button with JavaScript?
推荐答案
您可以并且不应该禁用浏览器的后退按钮或历史记录.这对用户体验不利.有JavaScript hack,但是它们不可靠,并且在客户端禁用JS时也无法使用.
You can and should not disable the browser back button or history. That's bad for user experience. There are JavaScript hacks, but they are not reliable and will also not work when the client has JS disabled.
您的具体问题是,请求的页面是从浏览器缓存中加载的,而不是直接从服务器中加载的.这本质上是无害的,但确实会使最终用户感到困惑,因为他/他错误地认为它确实来自服务器.
Your concrete problem is that the requested page is been loaded from the browser cache instead of straight from the server. This is essentially harmless, but indeed confusing to the enduser, because s/he incorrectly thinks that it's really coming from the server.
您只需要指示浏览器不缓存所有受限制的JSP页面(因此不仅是注销页面/动作本身!).这样,浏览器被迫从服务器而不是从缓存请求页面,因此将执行服务器上的所有登录检查.您可以使用过滤器来设置在doFilter()方法中:
You just need to instruct the browser to not cache all the restricted JSP pages (and thus not only the logout page/action itself!). This way the browser is forced to request the page from the server instead of from the cache and hence all login checks on the server will be executed. You can do this using a Filter which sets the necessary response headers in the doFilter() method:
@WebFilter
public class NoCacheFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(req, res);
}
// ...
}
将此Filter映射到感兴趣的url-pattern上,例如*.jsp.
Map this Filter on an url-pattern of interest, for example *.jsp.
@WebFilter("*.jsp")
或者,如果您只想对受保护页面设置此限制,则应指定一个涵盖所有受保护页面的URL模式.例如,当它们全部位于文件夹/app中时,则需要指定/app/*的URL模式.
Or if you want to put this restriction on secured pages only, then you should specify an URL pattern which covers all those secured pages. For example, when they are all in the folder /app, then you need to specify the URL pattern of /app/*.
@WebFilter("/app/*")
甚至,您可以在与检查登录用户的状态相同的Filter中执行此工作.
Even more, you can do this job in the same Filter as where you're checking the presence of the logged-in user.
别忘了在测试之前清除浏览器缓存! ;)
Don't forget to clear browser cache before testing! ;)
- Authentication filter and servlet for login
- How to control web page caching, across all browsers?
这篇关于退出后防止用户看到以前访问过的安全页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!