I am under the impression that session.invalidate() should be sufficient for logout.
The problem that's happening is that I can run the whole application again and go to
pages that I didn't go to before logging out, which means these pages were never in
the cache.
-Nimmi
-----Original Message-----
From: SUPRIYA MISRA [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 8:07 AM
To: [EMAIL PROTECTED]
Subject: RE: STRANGE: session.invalidate() is not invalidating the
session
try adding these lines to the JSP
<%
response.setHeader("Cache-Control","no-store"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy
server
%>
>From: "Dudley Butt@i-Commerce" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: RE: STRANGE: session.invalidate() is not invalidating the session
>Date: Thu, 30 Aug 2001 10:13:40 +0200
>
>i'm having the same problem , please help anyone?
>
>-----Original Message-----
>From: Shamdasani Nimmi-ANS004 [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, August 29, 2001 9:32 PM
>To: struts-user@jakarta. apache. org (E-mail)
>Subject: STRANGE: session.invalidate() is not invalidating the session
>
>
>Hi,
>
>I noticed a peculiar thing. In my application I have a logout link on
>pages.
>This link control goes to 'Logout' action where I clean up the session
>variables and then invalidate the session with:
>
>session.invalidate();
>
>and this class forwards it to Logout.jsp which just has the goodbye
>message.
>
>I have noticed that at this point if I keep going back with the back key of
>my browser to the point where jsessionid is part of the URL, i.e.,
>
>http://localhost:8080/msqc/logon.do;jsessionid=149062E2E0A77480075991317505D
>453
>
>
>and do the browser refresh here then I can go back into the application
>without having to log in again. It is as if the session is still alive.
>
>All the screens(incl. the above URL point) going backwards from Logout.jsp
>do show the page expired message but doing refresh on the above URL screen
>only brings back the application
>
>Could someone please explain this to me? Has anyone else seen this?
>
>BTW I am using Tomcat 4.0 and Struts 1.1(same happens with 1.0 too)
>
>TIA.
>
>-Nimmi
>
>
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the system manager.
>
>This footnote also confirms that this email message has been swept by
>MIMEsweeper for the presence of computer viruses.
>
>www.mimesweeper.com
>**********************************************************************
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
