I am developing a web application, in which I have used session management to store some values.
What I am looking for is, after a user login to the application by giving username and password, s/he will be on the home page, but at any moment if the user closes the browser window or pressed the back button, the session should get invalidated and the user should not get the home page again.
I am using servlet as controller for login(jsp) and 2 jsp pages, 1st-login page, 2nd- home page.
For timeout I am using web.xml’s <session-timeout> functionality.
How about the other browsers? There are many more browsers in the world than only IE.
Anyway, you’re going the wrong direction as to solving the “problem”. It’s technically not reliably possible to invalidate the session when the user presses the back button. Further, I’m not sure how you usually browse on the net, but I’m pretty sure that invalidating the session on pressing the back button would astonish the average webpage visitor.
If your concrete problem is that you’d like to prevent the enduser from viewing a restricted page which requires a login after pressing the back button, then you need to just tell the browser to not cache those pages. This is in detail answered here: Prevent user from seeing previously visited secured page after logout
As to invalidating the session as well when the user physically closes the browser, this is technically also not reliably possible. The common approach is to just keep the session timeout relatively short, for example 1 minute, and to introduce an ajax poll which sends every 55 seconds or so a request to the server to keep the session alive. This is in detail answered here: JSF – Keep a session alive for an indefinite amount of time