问题描述
所以这就是问题所在。当用户退出我的网站时,他们仍然可以点击后退按钮并继续使用该网站。为了跟踪用户是否登录,我创建了一个会话属性isActive。用户登录时该属性设置为true,并且在注销时会话无效之前(冗余)删除该属性。同样在每个页面上,我都会检查属性是否存在。
So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a session attribute "isActive". The attribute is set to true when the user logs in, and is (redundantly) removed right before the session is invalidated at logout. Also on every page I check if the attribute is present.
我还指定不应在其头标签中缓存页面。
I also specify that pages should not be cached in their head tags.
尽管这些用户仍然能够回击浏览器,并继续使用该网站,就好像他们从未注销过一样。
Despite this users are still able to hit back on the browser, and continue to use the site as if they never logged off.
任何想法如何解决这个问题?
Any idea on how to fix this?
以下是代码:
登录Servlet:
...
session.setAttribute("isActive", true);
//Redirect to home page.
检查登录JSP:
<c:if test='${empty sessionScope.isActive || sessionScope.isActive != true}'>
<c:redirect url="/index.jsp?message=Session Timed Out."/>
</c:if>
退出Servlet:
request.getSession().removeAttribute("isActive");
request.getSession().invalidate();
response.sendRedirect("index.jsp");
内部标记:
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="Sat, 01 Dec 2001 00:00:00 GMT">
谢谢
推荐答案
元标记是不够的。您需要将它们添加为完整的响应标头。 webbrowser依赖于它们。 过滤器对此有帮助。此外, Cache-Control 标头不完整(在Firefox等中无法正常工作)。
The meta tags are not sufficient. You need to add them as fullworthy response headers. The webbrowser relies on them. A Filter is helpful in this. Also, the Cache-Control header is incomplete (won't work as expected in Firefox, among others).
在过滤器的 doFilter()方法中实现此方法,该方法映射在 url上-pattern 例如 * .jsp (如果你想覆盖所有JSP页面)。
Implement this in the doFilter() method of a Filter which is mapped on an url-pattern of for example *.jsp (if you want to cover all JSP pages).
HttpServletResponse res = (HttpServletResponse) response;
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
res.setHeader("Pragma", "no-cache"); // HTTP 1.0.
res.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(request, response);
这样,webbrowser将被强制在服务器上发出实际请求而不是显示来自的页面浏览器缓存。此外,您应该使用过滤器来检查登录用户的存在,而不是JSP / JSTL。
This way the webbrowser will be forced to fire a real request on the server rather than displaying the page from the browser cache. Also, you should rather be using a Filter to check the presence of the logged-in user, not JSP/JSTL.
- Making sure a page is not cached, across all browsers
- Checking if an user is logged in
- Authenticating the user using filters
这篇关于如何正确地使JSP会话无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!