prohibit the user from going back to a secure page after logout,jsp with firefox 5.0

Question

I want to prohibit the user from going back to a secure page after logout when he/she clicks on the back button on the browser(in my case it is Mozilla Firefox 5.0). Found two ways, setting proper headers:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "No-cache");
response.setDateHeader("Expires", 0);

or disabling the back button using javascript:

<script type="text/javascript">
window.history.forward(1);
</script>

actually the javascript doesn't disable the back button,just forwards the user one page ahead in the history,should serve the purpose.

But neither works. My logout page is contains the following code:

<script type="text/javascript">
window.history.forward(1);
</script>

<% HttpSession ses=request.getSession(false);
ses.invalidate();
String referer = request.getHeader("Referer");
response.sendRedirect(referer);
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "No-cache");
response.setDateHeader("Expires", 0);
%>

Doesn't serve my purpose.Please help.

Answer 1

Those headers needs to be set on all the secured pages themselves, not on the JSP where you're placing the logout logic which actually belongs in a servlet. Even more, since you're sending a redirect here, those headers have totally no effect.

The proper approach would be to map a Filter on the desired URL pattern which does the job. I'm sure that the majority of the answers which you initially found here are also suggesting that :)

See also:

• Prevent user from seeing previously visited secured page after logout