Home/ Questions/Q 1034335
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T14:22:28+00:00

I am using Tomcat web container. I have an admin console app implemented. When

  • 0

I am using Tomcat web container. I have an admin console app implemented. When I click on logout a session attribute is made null and invalidated see the below code in my logout.jsp file.
After logout the user is taken to the login page. In fireFox I click back button I have the below issues.
First I do not get page expired page like in IE
Second when I click on any of the link in the page , I check for the sessioon attribute which I made null in logout. The value of that is “success”.
I am totally confused with this behaviour. Is it issue with firefox or tomcat session management.

I am sure I need more knowledge to understand this behaviour. Appreciate your help in letting me know what happens here…

<%@ page session="false" %>
<%
response.setHeader("cache-control","no-cache");
response.setHeader("Pragma","no-cache");
response.setDateHeader("Expires",-1);

%>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <% 
    HttpSession session = request.getSession(false);
    System.out.println("session"+session);
    session.setAttribute("loginStatus",null);
    session.invalidate();
  %>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The headers are incomplete. You need the following set of headers:

    response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

    Escpecially the must-revalidate entry fixes this particular FF issue.

    See also

    Unrelated to the actual problem, I’ve a few comments about this piece of code:

    • You should prefer UTF-8 over ISO-8859-1 to gain world domination.
    • Raw Java code in a JSP page is poor practice. The response headers needs to be set in a Filter and the logout needs to happen (indirectly) in a Servlet.
    • Calling getSession(false) with false may return a null session which in turn can lead to a NullPointerException in certain circumstances. Get rid of false or at least add a nullcheck.
    • Setting attribute to null right before calling invalidate() is unnecessary. The invalidate() call already trashes all the attribtues.

    Hope you learn something from this.

    • 0