In my website when the user clicks logout I do : session.inavlidate(); After this I redirect the user to the index page of the website. Is this OK ? I asked this because after the user logs out from the website : I still see the cookie named JSESSIONID in the browser that says will expire at the end of session. When a new user presses the back key he is able to see the data of the previous user.

Reputation: 21329

What else should I take care of after I make the user logout?

In my website when the user clicks logout I do :

session.inavlidate();

After this I redirect the user to the index page of the website. Is this OK ? I asked this because after the user logs out from the website :

I still see the cookie named JSESSIONID in the browser that says will expire at the end of session.
When a new user presses the back key he is able to see the data of the previous user.

Upvotes: 0

Reputation: 684

After logout when you redirect the user to the index page, a new session will be created. Check if the sessionId (JSESSIONID) before logout is different from the sessionId after logout. They should be different and in that case there is nothing to worry about.
When user clicks on BACK, the page would be shown from the browser's cache. But since the session has expired, they generally should not be able to do anything which takes data from the invalidated session. You can prevent the user from seeing anything when the click the Back button by disabling the caching of the page. That can be done using META tags - <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1">

Upvotes: 1