Wednesday, 23 October 2013

Preventing Browser Back Navigation after Logout - JSPs




Modern Browsers cache the previously visited pages and hence in certain websites where authentication plays an important role, it is necessary to clear them.

The example below illustrates the scenario.



  • An user logs into his account with credentials.
  • He navigates between pages within the site.
  • Once he logs out, the session will terminate but since the browser had cached the previous pages, it is possible for him to click the Back button and see the previously visited pages.
  • This could possibly breach the security. To avoid this it is necessary to prevent Browser back navigation.


    • The code given below explains the same scenario.

    index.jsp
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
 <%
    session= request.getSession();
    session.setAttribute("username", "login");
 %>
 <form action="login.jsp" method="post">
    Username <input type="text" name="uname"><br/>
    <input type="submit"/>
 </form>
</body>
</html>
    login.jsp
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%
   response.setHeader("Cache-Control","no-cache");
   response.setHeader("Cache-Control","no-store");
   response.setHeader("Pragma","no-cache");
   response.setDateHeader ("Expires", 0);

   if(session.getAttribute("username")==null)
      response.sendRedirect("index.jsp");
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
 <%
  String uname = request.getParameter("uname") ;
  session = request.getSession();
  session.setAttribute("username", uname);
 %>
 <h3>Hi <%out.println(uname); %></h3>
 <form action="page1.jsp" method="post">
  Email <input type="text" name="email"/>
  <input type="submit"/>
 </form>
</body>
</html>
    page1.jsp
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%
   response.setHeader("Cache-Control","no-cache");
   response.setHeader("Cache-Control","no-store");
   response.setHeader("Pragma","no-cache");
   response.setDateHeader ("Expires", 0);

   if(session.getAttribute("username")==null)
      response.sendRedirect("index.jsp");
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>PAGE 1</title>
</head>
<body>
 <%
     String email = request.getParameter("email") ;
 %>
 <h3>Hi <%out.println(email); %></h3>
 <form action="logout.jsp" method="post">
  <input type="submit" value="LOGOUT"/>
 </form>
</body>
</html>
    logout.jsp
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <%
   response.setHeader("Cache-Control","no-cache");
   response.setHeader("Cache-Control","no-store");
   response.setHeader("Pragma","no-cache");
   response.setDateHeader ("Expires", 0);

   session.invalidate();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>LOGOUT</title>
</head>
<body>
     You have successfully logged out
</body>
</html>

    Posted by at
    Labels: , , , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)