res.setHeader("Cache-Control", "must-revalidate");
Once the user leaves the page, the browser will be forced to revalidate the request
and the page will not be reposted from any cache. Well, at least that's
what the spec says.
Please note this is an http 1.1 directive and not all browsers will recognize it.
Another alternitive is to be *really* strict:
res.setHeader("Cache-Control", "no-cache");
res.setHeader("Cache-Control", "no-store");
res.setHeader("Cache-Control", "private");
res.setHeader("Cache-Control", "must-revalidate");
res.setHeader("Expires", "Tue, 25 Dec 1996 12:22:22 GMT");
res.setHeader("Pragma", "no-cache");
The last one (Pragma) is for http 1.0 and should work on most browsers.
The http 1.1 spec is pretty dry reading but informative. Ref. rfc 2616, section 14.9
Mike
Kevin Baynes wrote:
[EMAIL PROTECTED]">Session API won't help you with this. As long as the browser stays open and the session hasn't timed out, then the session is valid.Alternatives:You can prevent the pages from being cached and expire them immediately. When the user hits the back button, they will get a message that says the page is expired. This forces them to go to a page that you do not expire immediately: the login.You can also modify the browser history using JavaScript. By setting the the history, the "back" button can always point to the login screen of your site.Both of these methods are browser dependent and not 100% reliable. You will get varying results depending on the browser type and version... So they can be a pain to use.Also, both of these methods will always affect a user trying to use the "back" button - not just ones who browsed away from your site. Basically, you will be disabling the "back" button. I'd recommend *not* doing this unless you really must.Kevin BaynesSeagull Software-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of John Waugh
Sent: Wednesday, August 15, 2001 11:23 AM
To: [EMAIL PROTECTED]
Subject: Timing out Secure sessionhi,
I was thinking about making a secure web site, but the thought has just crossed my mind that I'd like it when a user visits the page on the site, then another site, then say presses back and refresh, to make the user have to relogin.
how on earth would I detect the fact that the user has left the site using the session api. I haven't been able to come up with anything.
any suggestions or other approaches anyone?
John
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
