I have a web application running on Spring Webflow with Spring Security. I have a problem logging out because my app kinda remembers the last page after logging out. When I press back or directly paste the URL to the address bar it can direct the page to the login page, but if I login it will go directly to the last page I went to before logging out. It tends to remember its last state. Below is my application-config snippet.
<security:logout logout-url="/logout.do" invalidate-session="true"
logout-success-url="/logoutSuccess.do" />
Link in my page
<a href="logout.do">#{label.labellogout}</a>
The expired-url attribute
The URL a user will be redirected to if they attempt to use a session which has been “expired” by the concurrent session controller because the user has exceeded the number of allowed sessions and has logged in again elsewhere. Should be set unless exception-if-maximum-exceeded is set. If no value is supplied, an expiry message will just be written directly back to the response.
Sounds like your session is still valid after an Logout. try to make it invalid after logout.
Text is from:
Spring Doc