Invalidating session in Sun one Applications server 7.1

Question

I am facing a problem on sessions using Servlets and JSP when user login/logout in my application displaying last accessed usernames. When the user logged succussfully in application I am putting user information into session like

HttpSession ssession=request.getSession(false);
session.setattribute(username,"username");

When user clicks on loggout in application. I wrote code

HttpSession ssession=request.getSession(false);

if(session!=null){
   session.invalidate();
}

response.setHeader("Pragma", "cache"); 
response.setHeader("Cache-Control", "private, must-revalidate"); 

I am checked the session is avaliable or not when user logout. The session is invalidate. But relogin the same browser with different user. I got lastaccess session user. I have already set the respone.setheader for login page and loaded page. I got same problem. This issue occurs only in client side (Production server). We are using Sun One application server 7.1.

Answer 1

There are 2 problems:

1. You're setting the wrong cache headers. You need to set the following headers:

   response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
   response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
   response.setDateHeader("Expires", 0); // Proxies.
   

2. You're setting the cache headers on the wrong page. You've to set them on all pages which require a login, not only on the page which appears after logout. You need to create a Filter which does the response header setting job in doFilter() method and then map the filter on an URL pattern covering the pages which require a login such as /app/*, /secured/*, etc.

See also:

• How to control web page caching, across all browsers? (more background information)
• Prevent user from seeing previously visited secured page after logout (contains filter example)

---

Unrelated to the concrete problem, don't use request.getSession(false), instead just use request.getSession() without the boolean.