Geek Answers Handbook

How to prevent users from "returning", but keep the cache after logging out in the JSP?

I need to leave the cache turned on and disconnect the user from viewing the information after it exits after exiting the system.

I know that cached pages displayed when you log out + back are created in browsers. I know that disabling the cache is a way to force logout + back to do a recheck.

With JSP (CQ5 specifically), is this possible?

I have the following solutions, but I'm not sure if this is the best approach for my needs:

  • Disable cache everywhere. This works, but is unacceptable, because the publisher we use will be too busy retraining the pages.
  • The POST "Logout" button on page A. Page A kills the session and sends the user to page B with the message "You were logged out." The "back" from page B will appear in message browsers that require the republishing of values. Yes = they log out (are harmless at the moment) and are redirected to page B. No = they are sitting on the page harmless. But "back" + "no" + "back" can put them on the cached page, or a choice from the history will still show the cached page.
  • The Exit button displays a new window, asking if they are sure / warned them to close the session. "I'm sure" does window.opener.reload () or window.opener.close (). But if JavaScript is disabled, we are doomed.
  • "Exit" to the current page. All pages check for some POSTd value. If present, go to page B with the message "you are logged out." Similar to # 2. This essentially reprints the page on the “You are logged out” page, but “Back to back” or history will still have cached pages.

Is there a way to manually clear the user’s cache or make verification check happen even on cached pages? I have no ideas here ...

+4
source share
1 answer

Your problem is that you are trying to cache what should be kept secret. Caching password information is not secure and is a risk.

However, it makes sense to cache the shared html parts of the page with a password. Everything that any user registered in the system can see is in order. Only confidential information, such as username, address, phone number, etc., is confidential.

If you make a separate JSON call to retrieve the data, the information will be easy, but still safe, because it is not cached in the system, but also not complemented by html formatting, etc.

There may also be intelligence on the page to display a log call, if a user session was interrupted for any reason, he repeats and continues from where he left off, while maintaining the return button.

I also think that if any confidential information is stored in the history, for example id, actions, etc., this can be a problem.

Just a few things to consider.

0
source

More articles:


All Articles