当用户登录时,会话信息被存储。 用户登录时会删除会话信息 出去但是当我点击浏览器的后退按钮时,会显示用户信息。会议已经结束,但我们无法确定 执行用户登录操作。我该如何解决这个问题 问题 ?
----------------------------log out -------------------------------
@RequestMapping(value="logout.htm",method = RequestMethod.GET)
public void logOut(HttpSession session,HttpServletResponse
response,HttpServletRequest request) throws IOException{
final String refererUrl = request.getHeader("Referer");
response.setHeader(refererUrl, "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);
session.removeAttribute("user");
session.invalidate();
response.sendRedirect("index.htm");
}
---------------------------------- login ---------------
@RequestMapping(value="/userLogin",method=RequestMethod.POST)
public @ResponseBody JsonResponse
login(@ModelAttribute(value="user") User user, BindingResult result,HttpServletRequest request,HttpSession session,ModelMap model) throws UnsupportedEncodingException{
JsonResponse res = new JsonResponse();
if(!result.hasErrors()&& userService.findUser(user, request)){
res.setStatus("SUCCESS");
session.setAttribute("user",
new String(user.getUsername().getBytes("iso- 8859-1"), "UTF-8"));
}
else{
res.setStatus("FAIL");
result.rejectValue("username","1");
res.setResult(result.getAllErrors());
}
return res;
}
--------------------------profile --------------------------------------
@RequestMapping(value="myProfile.htm",method = RequestMethod.GET)
public String showmyProfile(@ModelAttribute(value="addUser") User user,Model model,HttpServletRequest request,
HttpServletResponse response,
HttpSession session) throws IOException{
if(session.getAttribute("user")== null){
response.sendRedirect("index");
}
答案 0 :(得分:3)
我使用这种方法。 首先创建一个实现Filter的类并重写doFilter()方法。 doFilter()的代码是:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse hsr = (HttpServletResponse) res;
hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
hsr.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(req, res);
}
在web.xml中使用过滤器之后。这个过滤器就是这个。
<filter>
<filter-name>noCacheFilter</filter-name>
<filter-class>com.example.NoCacheFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>noCacheFilter</filter-name>
<url-pattern>/secured/*.jsp</url-pattern>// urls that not cached
</filter-mapping>
答案 1 :(得分:1)
在Servlet Context中配置拦截器,如下所示:
<!-- configuration for handling browser back button -->
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**/*"/>
<beans:bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<beans:property name="cacheSeconds" value="0"/>
<beans:property name="useExpiresHeader" value="true"/>
<beans:property name="useCacheControlHeader" value="true"/>
<beans:property name="useCacheControlNoStore" value="true"/>
</beans:bean>
</mvc:interceptor>
</mvc:interceptors>
注意:在测试应用程序时,不要忘记删除浏览器缓存。
答案 2 :(得分:1)
在spring-security 4.0中,此问题已默认解决。即使在安全XML配置中,您也无需编写任何其他代码。
答案 3 :(得分:0)
response.setHeader(refererUrl, "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);
上面的代码清除了缓存并使服务器端的会话到期。但是,无论会话是否有效,都应该在您的视图中验证或处理(HTML或JSP)。您可以在视图中使用以下元标记来表示no-cache和no-store
<meta http-equiv="Cache-control" content="no-cache">
或
<META HTTP-EQUIV="Cache-Control" CONTENT="No-Cache,Must-Revalidate,No-Store">
请参阅this浏览器缓存控制