servlet会话,注销后,按下浏览器的后退按钮时,再次显示安全页面[重复]
Posted
技术标签:
【中文标题】servlet会话,注销后,按下浏览器的后退按钮时,再次显示安全页面[重复]【英文标题】:servlet session , after logout , when back button of browser is pressed , again the secure page is shown [duplicate] 【发布时间】:2012-12-22 14:05:28 【问题描述】:我有一个 servlet 和一个 html 页面。如何防止用户在注销后点击浏览器的后退按钮?我在 *** 中阅读了相同的问题,但答案是使用 java 脚本禁用浏览器历史记录或使用页面 - http 标头中没有缓存。我们如何使用防止返回操作的 servlet 来实现它,http-header no cache 是无用的,因为 Firefox 表示页面在再次刷新两次时已过期,显示安全页面。
我在某种程度上做了,示例方法只是为了尝试(不是真的) 我的用户名和密码从 HTML 页面发布到 servlet,如果密码和用户名正确,则 servlet 将其存储在会话中。 当再次请求安全页面时,如果会话存在,则显示安全页面,并且用户从会话中注销登录页面显示所有正在工作,除非用户点击浏览器的返回按钮注销失败。
我们如何防止安全 servlet 在注销后在浏览器中按下返回按钮后显示内容?
welcome.html 的源代码
<html>
<body>
<form method="POST" action="Sessionexample">
<div align="center">
<table border="1" style="border-collapse: collapse">
<tr>
<td>Username</td>
<td><input type="text" name="username" size="20"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="password" size="20"></td>
</tr>
<tr>
<td > </td>
<td > </td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="Submit" name="B1"></td>
</tr>
</table>
</div>
</form>
</body>
</html>
servlet 的源代码
public class Sessionexample extends HttpServlet implements Servlet , Filter
private static final long serialVersionUID = 1L;
public String username =null, password=null;
public HttpSession session ;
public PrintWriter pw;
int do_get =0 ;
/**
* Default constructor.
*/
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
if (session == null || session.getAttribute("username") == null)
response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0);
else
chain.doFilter(req, res);
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
do_get=1;
pw = response.getWriter();
session=request.getSession(false);
try
if(request.getParameter("action")!=null)
if(request.getParameter("action").equals("logout"))
session = request.getSession(true);
session.setAttribute("username", "");
session.setAttribute("password", "");
session.invalidate();
response.sendRedirect("welcome.html");
return;
else
if(session !=null)
if( (String)session.getAttribute(username)!=null)
username = (String)session.getAttribute("username").toString();
if( (String)session.getAttribute("password") !=null)
password =session.getAttribute("password").toString();
pw.write("not new-");
serviced(request,response);
catch(Exception ex)
pw.write("Error-"+ex.getMessage());
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
if(request.getParameter("username")!=null && request.getParameter("password")!=null )
username = request.getParameter("username").toString();
password = request.getParameter("password").toString();
serviced(request,response);
protected void serviced(HttpServletRequest request, HttpServletResponse response) throws IOException
response.setContentType("text/html");
pw = response.getWriter();
if( username !=null && password !=null)
if( username.equals("admin") && password.equals("a"))
try
if(do_get==0)
session = request.getSession(true);
session.setAttribute("username", "admin");
session.setAttribute("password", "a");
pw.write("You are logged in : "+username+" <br/> "+"<a href='?action=logout'><h1> Logout </h1> </a>");
catch(Exception ex)
response.sendRedirect("welcome.html");
else
response.sendRedirect("welcome.html");
else
response.sendRedirect("welcome.html");
@Override
public boolean accept(Object arg0) throws IOException
// TODO Auto-generated method stub
return false;
【问题讨论】:
【参考方案1】:您的过滤器仅在welcome.html 上设置无缓存标头,而不是在受限页面上。因此,每当浏览器通过后退按钮请求任何这些受限页面时,它都可能会显示缓存版本。您的过滤器需要在所有受限页面上设置无缓存标头。
所以,你需要改变
if (session == null || session.getAttribute("username") == null)
response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0);
else
chain.doFilter(req, res);
到
if (session == null || session.getAttribute("username") == null)
response.sendRedirect("welcome.html"); // No logged-in user found, so redirect to login page.
else
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0);
chain.doFilter(req, res);
【讨论】:
我认为需要链接!!以上是关于servlet会话,注销后,按下浏览器的后退按钮时,再次显示安全页面[重复]的主要内容,如果未能解决你的问题,请参考以下文章
当在rails中按下浏览器的后退按钮时,在注销后进入登录页面