servlet会话，注销后，当按下浏览器的后退按钮时，再次显示安全页面 [英] servlet session , after logout , when back button of browser is pressed , again the secure page is shown

问题描述

我有一个servlet和一个HTML页面.注销后如何防止用户点击浏览器的后退按钮?我已经在stackoverflow中阅读了相同的问题，但是答案是使用浏览器历史记录禁用Java脚本或使用页面-http标头中没有缓存.我们如何使用防止回退操作的servlet来实现它，http头没有缓存是没有用的，因为Firefox表示再次刷新安全页面两次后页面已过期.

I have a servlet and a HTML page. How can I prevent the user from hitting the back button of the browser after logout? I have read the same question in stackoverflow , but the answers are using browser history disable with java script or using page--no cache in http headers. How can we implement it using servlets that prevent the go back action, the http-header no cache is useless as Firefox says the page is expired when it is refreshed two times again the secure page is shown.

我以某种方式完成了示例方法，只是为了尝试(不是真实的)我的用户名和密码从HTML页面发布到servlet，如果密码和用户名正确，则servlet将其存储在会话中.再次请求安全页面时，如果存在会话，则显示安全页面，并显示用户从会话中注销的ID，登录页面显示一切正常，除非用户单击浏览器的后退按钮失败，否则退出.

I have done in a way , sample method just for a try (not real) My username and password are posted to the servlet from HTML page the servlet stores this in a session if the password and username are correct. When again the secure page is requested, if session exists the secure page is shown and id the user log outs from the session the login page is show all are working except the logout fails if the user hits back button of the browser.

如何防止注销后在浏览器中按下安全按钮后显示安全servlet?

welcome.html的src

src of welcome.html

<html>
<body>

<form method="POST" action="Sessionexample">
<div align="center">
<table border="1"   style="border-collapse: collapse">
    <tr>
        <td>Username</td>
        <td><input type="text" name="username" size="20"></td>
    </tr>
    <tr>
        <td>Password</td>
        <td><input type="text" name="password" size="20"></td>
    </tr>
    <tr>
        <td height="24">&nbsp;</td>
        <td height="24">&nbsp;</td>
    </tr>
    <tr>
        <td>&nbsp;</td>
        <td><input type="submit" value="Submit" name="B1"></td>
    </tr>
</table>
</div>
</form>
</body>
</html>

servlet的

src

src of the servlet

public class Sessionexample extends HttpServlet implements Servlet , Filter {
    private static final long serialVersionUID = 1L;
    public String username =null, password=null;
    public HttpSession session ;
    public PrintWriter pw;
    int do_get =0 ;
    /**
     * Default constructor. 
     */


    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        HttpSession session = request.getSession(false);         
        if (session == null || session.getAttribute("username") == null) {
            response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
            response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
            response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
            response.setDateHeader("Expires", 0);
        } else {
            chain.doFilter(req, res);  
        }
    }


    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
    {

        do_get=1;
        pw = response.getWriter();
        session=request.getSession(false);
        try
        {
            if(request.getParameter("action")!=null)
            {
                if(request.getParameter("action").equals("logout"))
                {

                    session = request.getSession(true);
                    session.setAttribute("username", "");
                    session.setAttribute("password", "");
                    session.invalidate();
                     response.sendRedirect("welcome.html");
                    return; 
                }
            }
            else
            if(session !=null)
                {
                 if( (String)session.getAttribute(username)!=null)
                username = (String)session.getAttribute("username").toString();
                if( (String)session.getAttribute("password") !=null)
                 password =session.getAttribute("password").toString();
                pw.write("not new-");
                serviced(request,response);
                }

        }
        catch(Exception ex)
        {
            pw.write("Error-"+ex.getMessage());
        } 

    }

    /**
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
     */
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
    {

        if(request.getParameter("username")!=null && request.getParameter("password")!=null )
        {
             username = request.getParameter("username").toString();
             password =  request.getParameter("password").toString(); 
        } 

        serviced(request,response);

    }


    protected void serviced(HttpServletRequest request, HttpServletResponse response) throws IOException
    {

            response.setContentType("text/html");

            pw = response.getWriter();  
        if( username !=null && password !=null)
            if( username.equals("admin") && password.equals("a"))
            {

                try
                {

                    if(do_get==0)
                    {
                session = request.getSession(true);
                session.setAttribute("username", "admin");
                session.setAttribute("password", "a");
                    }               
                pw.write("You are logged in : "+username+"  <br/> "+"<a href='?action=logout'><h1>   Logout </h1> </a>");

                }
                catch(Exception ex)
                {
                                        response.sendRedirect("welcome.html");

                }

            }
            else
            {
            response.sendRedirect("welcome.html");
            }
            else
                response.sendRedirect("welcome.html");
    }

    @Override
    public boolean accept(Object arg0) throws IOException {
        // TODO Auto-generated method stub
        return false;
    }       

}

推荐答案

您的过滤器仅在 welcome.html 上而不是在受限制的页面上设置无缓存标头.因此，无论何时浏览器通过后退"按钮请求这些受限页面中的任何一个，它都可能会显示缓存的版本.您的过滤器需要在所有受限页面上设置no-cache标头.

Your filter is setting the no-cache headers on the welcome.html only, not on the restricted pages. So whenever the browser requests any of those restricted pages via back button, it will likely show up the cached version. Your filter needs to set the no-cache headers on all restricted pages.

因此，您需要进行更改

    if (session == null || session.getAttribute("username") == null) {
        response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        response.setDateHeader("Expires", 0);
    } else {
        chain.doFilter(req, res);  
    }

到

    if (session == null || session.getAttribute("username") == null) {
        response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
    } else {
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        response.setDateHeader("Expires", 0);
        chain.doFilter(req, res);  
    }

这篇关于servlet会话，注销后，当按下浏览器的后退按钮时，再次显示安全页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！