April 24th, 2003, 05:24 PM
jsp/Beans Logout - no back-Button!
I' m programming a webapplication with jsp and JavaBeans. I use a LoginBean to validate the user's ID and password and it works fine. But if the user logs out (and I invalidate the session) there is a problem: the user logs out and comes to the startpage. But then he might use the Back-Button of his Browser and so comes to an invalid page.
I would like, that the Back-Button always direct the user to the current startpage, so that he actually can't go back...
Perhaps this is a very simple problem, sorry, but I can't find an answer....
Can someone help me?
April 26th, 2003, 12:23 PM
The reason you can find no answer is because this is not done in web applications. What you want to do is very basic - in a typical client application, NOT a web application. A common misconception for programmers to make when designing a web application is to try and force the order of access to the pages in the application. This is easily done if you are designing a GUI app, but is near impossible to do in a web based app. Therefore, instead of trying to force the user to do what you want (which is, for all practical purposes, impossible), design your app so that it does not matter what page they request, it will still work.
You have to realize that the back button is not programmable to you as a web programmer. When a user hits the back button, they will often get a cached copy of the page. It does not neccessarily re-request from the server. Because of this, you are very limited what you can do. There are header tags you can use to tell the browser not to cache the page, but IE convieniently ignores them if a page is over a certain size.
Believe me, I have been where you are and have come to the conclusion that you always assume a user can request any page at any time and that a cached copy might be used. Always verify your session data is valid when doing any transactions. This is important so I will repeat - always make sure the session data is valid whenever you try and use it and if it isn't redirect the user to log in.
I rarely invalidate sessions. As a rule, you should not have a lot of data in the session. This is a huge performance hog on the server. Given that, if you leave the default session timeout to 30 minutes, I have found it is better to just let the server invalidate the session after timeout.