Implement No Cache using Spring Security

Question

I would like to know as to how can I implement a No Cache functionality using Spring Security. That is , when a user logs out of the application he/she can always make use of the browser back button to visit the previous pages.

I want to prevent this behavior and show the user a page expired message and ask him to relogin.

how can i achieve this using Spring security.

Answer 1

I don't think page caching is a responsibility of application security.
If there is a requirement for your application to prevent cached pages being displayed when using the back button, then your application must send the no-cache headers in its response, examples below.
If these are used, then the browser will request the page again when using the back button, and spring security login config and access denied config will be used.

HTTP headers:

    response.addHeader("Pragma", "no-cache");
    response.addHeader("Cache-Control", "no-cache");

    response.addHeader("Cache-Control", "no-store");
    response.addHeader("Cache-Control", "must-revalidate");
    // expires on some date in the past
    response.addHeader("Expires", "Mon, 8 Aug 2006 10:00:00 GMT");

Answer 2

If the user hits the back-button in his browser, it will probably go back to a page in its local browser cache and not perform a new request to the website.

The only way you would be able to perform the functionality you need is if you send an ajax-request on each page you have to see if the user session is still valid. This approach is however invalidated when the user turns javascript off in his or her browser.