You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by info3853 Bush <in...@yahoo.com> on 2005/12/01 17:58:31 UTC
How to prevent URL cached
I noticed that in many web applications, after you logout from the application, you can still use the browser "back" button to view some pages you supposely shouldn't. Some web applications, like gmail, if you logout, and click the back, it will always redirect the page to the login page. Some other applications, even like ameritrade, it will allow you to view some static content just visited.
My question is that if there is any easy way in struts to configure after you logout from application, using browser "back" button will always direct you to the login page.
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: How to prevent URL cached
Posted by Laurie Harper <la...@holoweb.net>.
Or use container managed security (which, I think, can be used for
static as well as dynamic content?)... Like I said, there are a lot of
options... ;-)
Michael Jouravlev wrote:
> Did you say pages are static (HTML)? Or they are JSPs? Or does request
> pass through Struts action? If they are not plain HTML, then in your
> action or in JSP page check if user is logged in. If not, redirect to
> login page.
>
> Here is the simple scriptlet, that you should stick in the beginning
> of every session-related page:
>
> <%
> if (session.getAttribute("USER") == null) {
> response.sendRedirect("Login.do");
> }
> %>
>
> Or you may want to write a guard tag, see Ted Husted's MailReader
> sample application for details. Or you may want to write a servlet
> filter.
>
> Michael.
>
> On 12/1/05, info3853 Bush <in...@yahoo.com> wrote:
>> Yes, I did that. Now all pages are blank. What I really wish is that after logout, when user hit "back" button, the page goes back to login page, never visit all pages visited before even just blank page now.
>>
>> Michael Jouravlev <jm...@gmail.com> wrote: On 12/1/05, info3853 Bush wrote:
>>> That's true. This topic belongs to web application security.
>>>
>>> The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated.
>> Mark page as non-cachable with "no-cache, no-store" cache-control
>> header. You may want to add some other headers too, like
>> must-revalidate. When you hit Back, the browser would try to reload a
>> page, here you would show the error.
>>
>> Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to prevent URL cached
Posted by info3853 Bush <in...@yahoo.com>.
All pages are JSPs.
After added the samilar user check on sessionFilter.java class, now all "back" action after logout will be directed to login page.
In this way, I don't need to add user check on each JSP pages.
Thanks for the hint.
Michael Jouravlev <jm...@gmail.com> wrote: Did you say pages are static (HTML)? Or they are JSPs? Or does request
pass through Struts action? If they are not plain HTML, then in your
action or in JSP page check if user is logged in. If not, redirect to
login page.
Here is the simple scriptlet, that you should stick in the beginning
of every session-related page:
<%
if (session.getAttribute("USER") == null) {
response.sendRedirect("Login.do");
}
%>
Or you may want to write a guard tag, see Ted Husted's MailReader
sample application for details. Or you may want to write a servlet
filter.
Michael.
On 12/1/05, info3853 Bush wrote:
> Yes, I did that. Now all pages are blank. What I really wish is that after logout, when user hit "back" button, the page goes back to login page, never visit all pages visited before even just blank page now.
>
> Michael Jouravlev wrote: On 12/1/05, info3853 Bush wrote:
> > That's true. This topic belongs to web application security.
> >
> > The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated.
>
> Mark page as non-cachable with "no-cache, no-store" cache-control
> header. You may want to add some other headers too, like
> must-revalidate. When you hit Back, the browser would try to reload a
> page, here you would show the error.
>
> Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------
Yahoo! Personals
Skip the bars and set-ups and start using Yahoo! Personals for free
Re: How to prevent URL cached
Posted by Michael Jouravlev <jm...@gmail.com>.
Did you say pages are static (HTML)? Or they are JSPs? Or does request
pass through Struts action? If they are not plain HTML, then in your
action or in JSP page check if user is logged in. If not, redirect to
login page.
Here is the simple scriptlet, that you should stick in the beginning
of every session-related page:
<%
if (session.getAttribute("USER") == null) {
response.sendRedirect("Login.do");
}
%>
Or you may want to write a guard tag, see Ted Husted's MailReader
sample application for details. Or you may want to write a servlet
filter.
Michael.
On 12/1/05, info3853 Bush <in...@yahoo.com> wrote:
> Yes, I did that. Now all pages are blank. What I really wish is that after logout, when user hit "back" button, the page goes back to login page, never visit all pages visited before even just blank page now.
>
> Michael Jouravlev <jm...@gmail.com> wrote: On 12/1/05, info3853 Bush wrote:
> > That's true. This topic belongs to web application security.
> >
> > The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated.
>
> Mark page as non-cachable with "no-cache, no-store" cache-control
> header. You may want to add some other headers too, like
> must-revalidate. When you hit Back, the browser would try to reload a
> page, here you would show the error.
>
> Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to prevent URL cached
Posted by Simons Kevin <fb...@skynet.be>.
just an opinion...perhaps you can check whether the user has hit the back
button. When he hits the button you might run the code that check's whether
a user was logged in or not. If not...load the login page.
I do know that you can use javascript to replace the history goback(). I
don't know whether this is possible with struts.
----- Original Message -----
From: "info3853 Bush" <in...@yahoo.com>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Thursday, December 01, 2005 8:32 PM
Subject: Re: How to prevent URL cached
> Yes, I did that. Now all pages are blank. What I really wish is that after
> logout, when user hit "back" button, the page goes back to login page,
> never visit all pages visited before even just blank page now.
>
> Michael Jouravlev <jm...@gmail.com> wrote: On 12/1/05, info3853 Bush
> wrote:
>> That's true. This topic belongs to web application security.
>>
>> The thing is that all static content are shown when you used the "back"
>> button. Of course, you can't click any link since the session is already
>> invalidated.
>
> Mark page as non-cachable with "no-cache, no-store" cache-control
> header. You may want to add some other headers too, like
> must-revalidate. When you hit Back, the browser would try to reload a
> page, here you would show the error.
>
> Michael.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
> ---------------------------------
> Yahoo! Personals
> Single? There's someone we'd like you to meet.
> Lots of someones, actually. Try Yahoo! Personals
--------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 30/11/2005
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 30/11/2005
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to prevent URL cached
Posted by info3853 Bush <in...@yahoo.com>.
Yes, I did that. Now all pages are blank. What I really wish is that after logout, when user hit "back" button, the page goes back to login page, never visit all pages visited before even just blank page now.
Michael Jouravlev <jm...@gmail.com> wrote: On 12/1/05, info3853 Bush wrote:
> That's true. This topic belongs to web application security.
>
> The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated.
Mark page as non-cachable with "no-cache, no-store" cache-control
header. You may want to add some other headers too, like
must-revalidate. When you hit Back, the browser would try to reload a
page, here you would show the error.
Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------
Yahoo! Personals
Single? There's someone we'd like you to meet.
Lots of someones, actually. Try Yahoo! Personals
Re: How to prevent URL cached
Posted by Michael Jouravlev <jm...@gmail.com>.
On 12/1/05, info3853 Bush <in...@yahoo.com> wrote:
> That's true. This topic belongs to web application security.
>
> The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated.
Mark page as non-cachable with "no-cache, no-store" cache-control
header. You may want to add some other headers too, like
must-revalidate. When you hit Back, the browser would try to reload a
page, here you would show the error.
Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to prevent URL cached
Posted by info3853 Bush <in...@yahoo.com>.
That's true. This topic belongs to web application security.
The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated.
Normally, you do all access control through the BaseAction class since all actions are dispached somehow from there. If you have a struts application, you can send a request something like:
http://yourapplication/XXX.do and XXX is configured in your struts-config.xml, then you will see what happened. There will have some
kind of exceptions throw out , but not a proper message like "page not existed", etc.
Laurie Harper <la...@holoweb.net> wrote:
info3853 Bush wrote:
> I noticed that in many web applications, after you logout from the application, you can still use the browser "back" button to view some pages you supposely shouldn't. Some web applications, like gmail, if you logout, and click the back, it will always redirect the page to the login page. Some other applications, even like ameritrade, it will allow you to view some static content just visited.
>
> My question is that if there is any easy way in struts to configure after you logout from application, using browser "back" button will always direct you to the login page.
As with any web application, Struts-based or otherwise, you need to
secure the content you don't want to be re-visitable after logout, and
make sure that as part of your logout processing you invalidate the
current session and any authentication credentials you have stored
elsewhere.
For example, you could have a check on each request for an
'authenticated' token or flag in the session and if it's not present,
redirect to a login page.
Unfortunately, there's too many ways to approach this kind of thing to
list here. Which are appropriate depend on your requirements. Try
googling for 'web application security', you'll find *lots* of further
reading on the topic.
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: How to prevent URL cached
Posted by Laurie Harper <la...@holoweb.net>.
info3853 Bush wrote:
> I noticed that in many web applications, after you logout from the application, you can still use the browser "back" button to view some pages you supposely shouldn't. Some web applications, like gmail, if you logout, and click the back, it will always redirect the page to the login page. Some other applications, even like ameritrade, it will allow you to view some static content just visited.
>
> My question is that if there is any easy way in struts to configure after you logout from application, using browser "back" button will always direct you to the login page.
As with any web application, Struts-based or otherwise, you need to
secure the content you don't want to be re-visitable after logout, and
make sure that as part of your logout processing you invalidate the
current session and any authentication credentials you have stored
elsewhere.
For example, you could have a check on each request for an
'authenticated' token or flag in the session and if it's not present,
redirect to a login page.
Unfortunately, there's too many ways to approach this kind of thing to
list here. Which are appropriate depend on your requirements. Try
googling for 'web application security', you'll find *lots* of further
reading on the topic.
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org