会话注销/超时

Question

To make it short, here is the scenario:

• The browser back button must be functional (I'm using JSF 2.0, so this is working)

• After logout, if a user clicks the back button, the app must redirect him/her to the login page (not working, the user is able to view protected pages, although expired. I can´t include the meta tags to disable browser caching because the back button stops working)

• If the user invokes an action, by clicking a button, on one of the expired pages it should redirect him/her to the login or error page (not working, the app throws an error and shows a blank page. My ExceptionHandlerWrapper implementation detects the exception and it is using a NavigationHandler to change the viewId and render the response ("facesException" mapping on faces-config that points to login.jsf), but the app is not behaving as expected)

Can someone please help me to solve this problem?

Answer 1

• The browser back button must be functional (I'm using JSF 2.0, so this is working)

• After logout, if a user clicks the back button, the app must redirect him/her to the login page (not working, the user is able to view protected pages, although expired. I can´t include the meta tags to disable browser caching because the back button stops working)

Two steps to solve this problem.

1. Disable browser cache by setting response headers accordingly. You can do this in a Filter which is mapped on the FacesServlet .

    HttpServletResponse hsr = (HttpServletResponse) response; hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0. hsr.setDateHeader("Expires", 0); // Proxies. chain.doFilter(request, response); 

2. Do not use HTTP POST for page-to-page navigation. Always use HTTP GET for page-to-page navigation. If you need to submit a form, let it submit to self (ie let action method return null or void ) and use h:messages or h:somecomponent rendered="#{success}" to display results in the same page conditionally.

---

• If the user invokes an action, by clicking a button, on one of the expired pages it should redirect him/her to the login or error page (not working, the app throws an error and shows a blank page. My ExceptionHandlerWrapper implementation detects the exception and it is using a NavigationHandler to change the viewId and render the response ("facesException" mapping on faces-config that points to login.jsf), but the app is not behaving as expected)

An <error-page> on javax.faces.webapp.ViewExpiredException was been enough. See also this answer .