You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by wesley <we...@yahoo.co.uk> on 2008/09/25 04:00:15 UTC

T5 prevent back button after logout

hi all,

i've implemented some projects which is spring2+T5 integrated. I followed
most of the tutorial from book and some tips from forums. The implementation
of my user authentication is using "ASO" to control the access of
unauthorized users. But on my testing, right after i logout, i still be able
to view the previous page which shouldn't. 

On normal implementation with servlet, to fix this problem; usually is to
disabled the Cache-Control, so that user after logged out won't be able to
view the page again by pressing the back button. what about in T5? any other
way to rectify this problem using ASO? or do i need to implement some
security framework just to address this? if is really needed on security
framework, which part shall i implement it on? in spring2? or T5 alone?

Thanks and regards,
Wesley


-- 
View this message in context: http://n2.nabble.com/T5-prevent-back-button-after-logout-tp1116964p1116964.html
Sent from the Tapestry Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5 prevent back button after logout

Posted by wesley <we...@yahoo.co.uk>.

Hello Thiago,

thanks very very much on your comment and advise. :)

Regards,
Wesley



Thiago H. de Paula Figueiredo wrote:
> 
> Em Wed, 24 Sep 2008 23:28:35 -0300, wesley <we...@yahoo.co.uk>  
> escreveu:
> 
>> Hello Thiago,
> 
> Hi!
> 
>> first of all, thanks for the reply. on my logic for logout, since the  
>> user logs in; i store user object inside ASO. When the user hit logout,  
>> the
>> method implementing this would be like
> 
> I updated your code to reflect what I've suggested you:
> 
> @Inject
> private Session session;
> 
> Object onActionFromLogoutPress(){
>      session.invalidate();
>      return LoginPage.class;
> }
> 
> You don't even need to nullify your ASO, because they are stored in the  
> session and the invalidate() method clears it.
> 
>> based on you remark, invalidating the session alone can actually fix the
>> back button problem?
> 
> This problem and others related to old info stored in the session.
> 
>> cause from what i read from the other forum, the back button is actually  
>> getting back the page from cache. any advise on this?
> 
> It's completely browser-dependent (including the handling of caches and  
> Cache-Control headers), so don't rely on the browsers. Invalidate the  
> session and all the user can see is what he/she had already seen (from the  
> browser cache).
> 
> Thiago
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
> 

-- 
View this message in context: http://n2.nabble.com/T5-prevent-back-button-after-logout-tp1116964p1117061.html
Sent from the Tapestry Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5 prevent back button after logout

Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.

Em Wed, 24 Sep 2008 23:28:35 -0300, wesley <we...@yahoo.co.uk>  
escreveu:

> Hello Thiago,

Hi!

> first of all, thanks for the reply. on my logic for logout, since the  
> user logs in; i store user object inside ASO. When the user hit logout,  
> the
> method implementing this would be like

I updated your code to reflect what I've suggested you:

@Inject
private Session session;

Object onActionFromLogoutPress(){
     session.invalidate();
     return LoginPage.class;
}

You don't even need to nullify your ASO, because they are stored in the  
session and the invalidate() method clears it.

> based on you remark, invalidating the session alone can actually fix the
> back button problem?

This problem and others related to old info stored in the session.

> cause from what i read from the other forum, the back button is actually  
> getting back the page from cache. any advise on this?

It's completely browser-dependent (including the handling of caches and  
Cache-Control headers), so don't rely on the browsers. Invalidate the  
session and all the user can see is what he/she had already seen (from the  
browser cache).

Thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5 prevent back button after logout

Posted by wesley <we...@yahoo.co.uk>.

Hello Thiago,

first of all, thanks for the reply. on my logic for logout, since the user
logs in; i store user object inside ASO. When the user hit logout, the
method implementing this would be like 

@ApplicationState
private MyUser myUser;

Object onActionFromLogoutPress(){
    Class nextPage = LoginPage.class;
    if(myUser != null)
           myUser = null;

    return nexPage;
}

i just set the ASO back to null as i read ASO is actually stored as session? 
based on you remark, invalidating the session alone can actually fix the
back button problem? cause from what i read from the other forum, the back
button is actually getting back the page from cache. any advise on this?

thanks and regards,
wesley






Thiago H. de Paula Figueiredo wrote:
> 
> Em Wed, 24 Sep 2008 23:00:15 -0300, wesley <we...@yahoo.co.uk>  
> escreveu:
> 
>>
>> i've implemented some projects which is spring2+T5 integrated. I followed
>> most of the tutorial from book and some tips from forums. The  
>> implementation of my user authentication is using "ASO" to control the  
>> access of
>> unauthorized users. But on my testing, right after i logout, i still be  
>> able to view the previous page which shouldn't.
> 
> AFAIK, your problem is not related to back button. Retyping the last URL  
> would have the same effect.
> 
> In your logout method, you need to invalidate (kill) the user session,  
> because otherwise it is kept until it expires by lack of user interaction.  
> You can use the Session.invalidate() method to do this in your logout
> page:
> 
> @Inject
> private Session session;
> 
> // in some method called by your logout logic
> session.invalidate();
> 
> How do you implement the user logout?
> 
> Thiago
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
> 

-- 
View this message in context: http://n2.nabble.com/T5-prevent-back-button-after-logout-tp1116964p1117002.html
Sent from the Tapestry Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5 prevent back button after logout

Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.

Em Wed, 24 Sep 2008 23:00:15 -0300, wesley <we...@yahoo.co.uk>  
escreveu:

>
> i've implemented some projects which is spring2+T5 integrated. I followed
> most of the tutorial from book and some tips from forums. The  
> implementation of my user authentication is using "ASO" to control the  
> access of
> unauthorized users. But on my testing, right after i logout, i still be  
> able to view the previous page which shouldn't.

AFAIK, your problem is not related to back button. Retyping the last URL  
would have the same effect.

In your logout method, you need to invalidate (kill) the user session,  
because otherwise it is kept until it expires by lack of user interaction.  
You can use the Session.invalidate() method to do this in your logout page:

@Inject
private Session session;

// in some method called by your logout logic
session.invalidate();

How do you implement the user logout?

Thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org