You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Olga <ba...@list.ru> on 2011/10/17 13:14:39 UTC
Browser Back Button
Hi all.
I have this question.
I use this annotation for create session:
@SessionState(create = false)
private User user;
and if loggin pass i do this:
public Object onSubmitFromLoginForm() throws SQLException {
user = userService.getUser(username, password);
if (user != null) {
return Home.class;
} else
return null;
}
If i want logout, i do this:
@Log
public Object onActionFromLogout()
{
user = null;
return Index.class;
}
All this work good, but if i do logout and after press Browser Back Button
then previous page displayed and user is logged in, but correct behavior is
that nothind change. I mean after press to back button we can't come back to
previous page we must loggin.
Do you have ideas how i can solve my problem.
Thank
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4909542.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Browser Back Button
Posted by Olga <ba...@list.ru>.
really nice answer, thanks
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4920896.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Browser Back Button
Posted by Cezary Biernacki <ce...@gmail.com>.
Hi,
I think you are disabling cache for incorrect page. You must disable caching
for all pages that should not be available after logout, but you must do
that when pages are sent to browser, not on logout action.
Best regards,
Cezary
On Thu, Oct 20, 2011 at 11:30 AM, Olga <ba...@list.ru> wrote:
> I've tried
>
> @Log
> public Object onActionFromLogout()
> {
> request.getSession(false).invalidate();
>
> response.setHeader("Cache-Control",
>
> "no-cache,no-store,private,must-revalidate,max-stale=0,post-check=0,pre-check=0");
> response.setHeader("Pragma", "no-cache");
> response.setDateHeader ("Expires", 0);
> }
>
> and
>
> <head>
> <META Http-Equiv="Cache-Control" Content="no-store, no-cache,
> max-age=0,
> must-revalidate, private"></META>
> <META Http-Equiv="Pragma" Content="no-cache"></META>
> <META Http-Equiv="Expires" Content="0"> </META>
> </head>
>
> but still doesn't work ((
>
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4920895.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Browser Back Button
Posted by "Vangel V. Ajanovski" <aj...@ii.edu.mk>.
On 21.10.2011 11:28, Olga wrote:
> Maybe does anybody know how clean cache from java file?
You forget that your java files run on the server, not in the browser.
Re: Browser Back Button
Posted by Olga <ba...@list.ru>.
If i do clean cache after logout from browser that i have behaviour what i
want. After logout i can't to come back to previos paje.
Maybe does anybody know how clean cache from java file?
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4924218.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Browser Back Button
Posted by "Vangel V. Ajanovski" <aj...@ii.edu.mk>.
On 20.10.2011 11:30, Olga wrote:
> but still doesn't work ((
>
You should check first that browser behaves as ordered. See in the
settings where is the cache located, clean it before trying and monitor
the folder while testing. On the other hand it might be stored in RAM,
and I don't how can that be checked.
Re: Browser Back Button
Posted by Olga <ba...@list.ru>.
I've tried
@Log
public Object onActionFromLogout()
{
request.getSession(false).invalidate();
response.setHeader("Cache-Control",
"no-cache,no-store,private,must-revalidate,max-stale=0,post-check=0,pre-check=0");
response.setHeader("Pragma", "no-cache");
response.setDateHeader ("Expires", 0);
}
and
<head>
<META Http-Equiv="Cache-Control" Content="no-store, no-cache, max-age=0,
must-revalidate, private"></META>
<META Http-Equiv="Pragma" Content="no-cache"></META>
<META Http-Equiv="Expires" Content="0"> </META>
</head>
but still doesn't work ((
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4920895.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Browser Back Button
Posted by Muhammad Gelbana <m....@gmail.com>.
Very informative Vangel. Thanks.
On Wed, Oct 19, 2011 at 6:04 PM, Steve Eynon <steve.eynon@alienfactory.co.uk
> wrote:
> Vangel,
>
> That's a good articulated answer - I like it!
>
> It's always a popular topic with management so I'll be sure to
> bookmark this comment for future use. Cheers!
>
> Steve.
>
>
> On 19 October 2011 18:06, Vangel V. Ajanovski <aj...@ii.edu.mk> wrote:
> > On 18.10.2011 16:30, Olga wrote:
> >>
> >> I am noted that with back browser button we can see all page history,
> but
> >> you
> >> can be logout or was logined with other username.
> >>
> > Correct behaviour of browser is to not contact server at all when
> clicking
> > Back button, so the content should be reproduced completely from cache.
> So,
> > you will not see a request on the server side, nor event. Of course
> > user/browser could be changed not to have cache, but this is in control
> of
> > the user or her administrator.
> >
> > So, even if you follow the advice to put meta tags and response variables
> so
> > that caching is disabled (or maybe to last 0 seconds) the user/browser
> may
> > choose to ignore these "hints" and *still* store the pages into cache and
> > *still* allow the user to press Back button and view the history.
> >
> > This is not a bug, it is inherent behaviour of web itself - its
> philosophy.
> >
> > Whatever you do, it will work for ~90% of users and it will work only if
> > they use a controlled environment - company lan, company desktops,
> laptopts,
> > maybe home enviroment. Everyone that works with your website from let's
> say
> > an internet cafe or kiosk, the computers there and the firewall and
> caching
> > proxy may be setup in such a way to *always* cache pages no matter what
> and
> > to always respond with "old" content when the user asks.
> >
> > I am not saying that you should not try, but that you should be aware of
> > this, and that the best solution for the other 10% is to educate everyone
> > that critical apps should not be used in public places where you cannot
> > trust the local admins. You should educate users that in order to be safe
> as
> > much as possible they should *delete browser cache and history and close
> all
> > browser windows* after logging out and especially before leaving the
> > computer (if it's a public computer). If your personal computer has a
> chance
> > to be used by someone else, you should not keep passwords, you should
> > regularly delete cache and session data.
> >
> > Also, always have in mind that the user can press the Back button at any
> > time, even during inside the application and possible ruin internal
> > transaction processes. So you have to check in you application for this.
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
*Regards,*
*Muhammad Gelbana
Java Developer*
Re: Browser Back Button
Posted by Steve Eynon <st...@alienfactory.co.uk>.
Vangel,
That's a good articulated answer - I like it!
It's always a popular topic with management so I'll be sure to
bookmark this comment for future use. Cheers!
Steve.
On 19 October 2011 18:06, Vangel V. Ajanovski <aj...@ii.edu.mk> wrote:
> On 18.10.2011 16:30, Olga wrote:
>>
>> I am noted that with back browser button we can see all page history, but
>> you
>> can be logout or was logined with other username.
>>
> Correct behaviour of browser is to not contact server at all when clicking
> Back button, so the content should be reproduced completely from cache. So,
> you will not see a request on the server side, nor event. Of course
> user/browser could be changed not to have cache, but this is in control of
> the user or her administrator.
>
> So, even if you follow the advice to put meta tags and response variables so
> that caching is disabled (or maybe to last 0 seconds) the user/browser may
> choose to ignore these "hints" and *still* store the pages into cache and
> *still* allow the user to press Back button and view the history.
>
> This is not a bug, it is inherent behaviour of web itself - its philosophy.
>
> Whatever you do, it will work for ~90% of users and it will work only if
> they use a controlled environment - company lan, company desktops, laptopts,
> maybe home enviroment. Everyone that works with your website from let's say
> an internet cafe or kiosk, the computers there and the firewall and caching
> proxy may be setup in such a way to *always* cache pages no matter what and
> to always respond with "old" content when the user asks.
>
> I am not saying that you should not try, but that you should be aware of
> this, and that the best solution for the other 10% is to educate everyone
> that critical apps should not be used in public places where you cannot
> trust the local admins. You should educate users that in order to be safe as
> much as possible they should *delete browser cache and history and close all
> browser windows* after logging out and especially before leaving the
> computer (if it's a public computer). If your personal computer has a chance
> to be used by someone else, you should not keep passwords, you should
> regularly delete cache and session data.
>
> Also, always have in mind that the user can press the Back button at any
> time, even during inside the application and possible ruin internal
> transaction processes. So you have to check in you application for this.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Browser Back Button
Posted by "Vangel V. Ajanovski" <aj...@ii.edu.mk>.
On 18.10.2011 16:30, Olga wrote:
> I am noted that with back browser button we can see all page history, but you
> can be logout or was logined with other username.
>
Correct behaviour of browser is to not contact server at all when
clicking Back button, so the content should be reproduced completely
from cache. So, you will not see a request on the server side, nor
event. Of course user/browser could be changed not to have cache, but
this is in control of the user or her administrator.
So, even if you follow the advice to put meta tags and response
variables so that caching is disabled (or maybe to last 0 seconds) the
user/browser may choose to ignore these "hints" and *still* store the
pages into cache and *still* allow the user to press Back button and
view the history.
This is not a bug, it is inherent behaviour of web itself - its philosophy.
Whatever you do, it will work for ~90% of users and it will work only if
they use a controlled environment - company lan, company desktops,
laptopts, maybe home enviroment. Everyone that works with your website
from let's say an internet cafe or kiosk, the computers there and the
firewall and caching proxy may be setup in such a way to *always* cache
pages no matter what and to always respond with "old" content when the
user asks.
I am not saying that you should not try, but that you should be aware of
this, and that the best solution for the other 10% is to educate
everyone that critical apps should not be used in public places where
you cannot trust the local admins. You should educate users that in
order to be safe as much as possible they should *delete browser cache
and history and close all browser windows* after logging out and
especially before leaving the computer (if it's a public computer). If
your personal computer has a chance to be used by someone else, you
should not keep passwords, you should regularly delete cache and session
data.
Also, always have in mind that the user can press the Back button at any
time, even during inside the application and possible ruin internal
transaction processes. So you have to check in you application for this.
Re: Browser Back Button
Posted by Olga <ba...@list.ru>.
Thanks
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4916873.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Browser Back Button
Posted by Muhammad Gelbana <m....@gmail.com>.
It's in interesting subject. Here is another link
http://davidjb.com/blog/2011/03/disabling-caching-for-sensitive-web-pages-aka-how-to-prevent-logged-out-users-going-back
Google really has many links for the same subject...
On Tue, Oct 18, 2011 at 5:00 PM, Muhammad Gelbana <m....@gmail.com>wrote:
> If I understood you right. You don't wan't the browser to cache previous
> pages. So when a user is for example viewing his profile page, then clicks
> on the logout link. A click on the back button doesn't show the users's
> profile. May be just a message from the browser that this page (the user's
> profile page) needs to reloaded or something.
>
> I haven't tried anything similar but here is a quick google search:
>
> <META Http-Equiv="Cache-Control" Content="no-cache">
> <META Http-Equiv="Pragma" Content="no-cache">
> <META Http-Equiv="Expires" Content="0">
> Source:http://www.pacificnet.net/~johnr/meta.html
>
> I think there was a similar and not so old question in the users list.
>
> About invalidating your session (user = null;), It's much more reliable to
> actually invalidate the user's HttpSession object. You do that by injecting
> tapestry's Request interface and then invalidate it's session. Unless that's
> what you really need to do.
>
> @Inject
> private Request request;
>
> @OnEvent(component = "logout", value = "action")
> private void logout() {
> log.info("User logging out.");
> request.getSession(false).invalidate();
> }
>
>
> On Tue, Oct 18, 2011 at 4:30 PM, Olga <ba...@list.ru> wrote:
>
>> I am noted that with back browser button we can see all page history, but
>> you
>> can be logout or was logined with other username.
>>
>> How i can catch this event?
>>
>> Thanks
>>
>> --
>> View this message in context:
>> http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4913885.html
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
>
> --
> *Regards,*
> *Muhammad Gelbana
> Java Developer*
>
>
--
*Regards,*
*Muhammad Gelbana
Java Developer*
Re: Browser Back Button
Posted by Muhammad Gelbana <m....@gmail.com>.
If I understood you right. You don't wan't the browser to cache previous
pages. So when a user is for example viewing his profile page, then clicks
on the logout link. A click on the back button doesn't show the users's
profile. May be just a message from the browser that this page (the user's
profile page) needs to reloaded or something.
I haven't tried anything similar but here is a quick google search:
<META Http-Equiv="Cache-Control" Content="no-cache">
<META Http-Equiv="Pragma" Content="no-cache">
<META Http-Equiv="Expires" Content="0">
Source:http://www.pacificnet.net/~johnr/meta.html
I think there was a similar and not so old question in the users list.
About invalidating your session (user = null;), It's much more reliable to
actually invalidate the user's HttpSession object. You do that by injecting
tapestry's Request interface and then invalidate it's session. Unless that's
what you really need to do.
@Inject
private Request request;
@OnEvent(component = "logout", value = "action")
private void logout() {
log.info("User logging out.");
request.getSession(false).invalidate();
}
On Tue, Oct 18, 2011 at 4:30 PM, Olga <ba...@list.ru> wrote:
> I am noted that with back browser button we can see all page history, but
> you
> can be logout or was logined with other username.
>
> How i can catch this event?
>
> Thanks
>
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4913885.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
*Regards,*
*Muhammad Gelbana
Java Developer*
Re: Browser Back Button
Posted by Olga <ba...@list.ru>.
I am noted that with back browser button we can see all page history, but you
can be logout or was logined with other username.
How i can catch this event?
Thanks
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Browser-Back-Button-tp4909542p4913885.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org