How handle browser back button in spring mvc

Question

When a user is logged on session information is stored. And session information is erased when the user is logged out . But when I hit the browser 's back button user information is displayed. Since session is gone but we can not be sure the user login operation is carried out. How do I resolve this issue ?

  ----------------------------log out -------------------------------

   @RequestMapping(value="logout.htm",method = RequestMethod.GET)
   public void logOut(HttpSession session,HttpServletResponse                 
   response,HttpServletRequest request) throws IOException{
    final String refererUrl = request.getHeader("Referer");
    response.setHeader(refererUrl, "no-cache");
    response.setHeader("Cache-Control", "no-cache");
    response.setDateHeader("Expires", 0);
    session.removeAttribute("user");
    session.invalidate();
    response.sendRedirect("index.htm");
   }
    ---------------------------------- login ---------------
  @RequestMapping(value="/userLogin",method=RequestMethod.POST)

  public @ResponseBody JsonResponse
 login(@ModelAttribute(value="user") User user, BindingResult     result,HttpServletRequest request,HttpSession session,ModelMap model) throws    UnsupportedEncodingException{

    JsonResponse res = new JsonResponse();

    if(!result.hasErrors()&& userService.findUser(user, request)){
        res.setStatus("SUCCESS");
        session.setAttribute("user",
      new String(user.getUsername().getBytes("iso-  8859-1"), "UTF-8"));
      }
         else{
        res.setStatus("FAIL");
        result.rejectValue("username","1");
        res.setResult(result.getAllErrors());
       }
      return res;
   }
   --------------------------profile --------------------------------------

    @RequestMapping(value="myProfile.htm",method = RequestMethod.GET)
   public String showmyProfile(@ModelAttribute(value="addUser") User user,Model          model,HttpServletRequest request,
        HttpServletResponse response,
         HttpSession session) throws IOException{

        if(session.getAttribute("user")== null){
        response.sendRedirect("index");
    }

Answer 1

The Spring Boot implementation is extrapolated from Hadi J's answer.

NOTE: This implementation will work for Spring Boot v1.3.0 or above.

---

Create a CustomFilter.java class which will implement the Filter interface. The aim here is to disable caching.

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletResponse;

@WebFilter
public class CustomFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        
        httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        httpServletResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        httpServletResponse.setDateHeader("Expires", 0); // Proxies.
        
        chain.doFilter(request, response);
    }

}

Finally, add the @ServletComponentScan annotation to your SpringBootApplication class. This will enable scanning for @WebFilter, @WebListener and @WebServlet annotations.

@ServletComponentScan
@SpringBootApplication
public class SampleSpringBootApplication {

    public static void main(String[] args) {
        SpringApplication.run(SampleSpringBootApplication.class, args);
    }
}

Answer 2

In spring-security 4.0 this problem has solved by default.You do not need to write any additional codes,even in security XML configurations.

Answer 3

Configure an interceptor inside Servlet Context as this:

<!--  configuration for handling browser back button  -->
<mvc:interceptors>
    <mvc:interceptor>
        <mvc:mapping path="/**/*"/>
        <beans:bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
            <beans:property name="cacheSeconds" value="0"/>
            <beans:property name="useExpiresHeader" value="true"/>
            <beans:property name="useCacheControlHeader" value="true"/>
            <beans:property name="useCacheControlNoStore" value="true"/>
        </beans:bean>
    </mvc:interceptor>
</mvc:interceptors>

Note: Don't forget to remove your browser cache while testing your application.

Answer 4

i use this method. first create one class that implements Filter and override doFilter() method. code of doFilter() is:

 @Override
 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse hsr = (HttpServletResponse) res;
hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
hsr.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(req, res);
 }

after use filter in web.xml. this filter is this.

  <filter>
    <filter-name>noCacheFilter</filter-name>
    <filter-class>com.example.NoCacheFilter</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>noCacheFilter</filter-name>
  <url-pattern>/secured/*.jsp</url-pattern>// urls that not cached 
 </filter-mapping>

Answer 5

response.setHeader(refererUrl, "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);

The above code clears cache and expiring the session in the server side. But whether session is live or not, it should be verified or handled in your view (HTML or JSP). You can have the following meta tags in your view to say no-cache and no-store

<meta http-equiv="Cache-control" content="no-cache">

or

<META HTTP-EQUIV="Cache-Control" CONTENT="No-Cache,Must-Revalidate,No-Store">

Please refer this for Browser Cache Control