i mean can i do it by modifying the jsp source or ? thanx Vijayakumar Govindasamy;the project is usefull and does what i want..
Invalidating a session is server-side logic, the back-button is purely client-side logic.
You might set the appropriate HTTP headers when you send pages to the browser to tell it it should never show cached pages but instead always send a new request.
Those headers can be a combination of: Pragma=no-cache (for older browsers) Cache-control=no-store (a stricter version of no-cache) Expires=0 Setting these will prevent any non-deaf browser from showing cached content. In first request I delete all attributes of a session and invalidate it.
Then in your action class that the submits to you can call is Token Valid.This prevents display of any page EXCEPT the one immediately following the login page (Welcome.jsp).If the user refreshes Welcome.jsp, IE resubmits the Logon Form containg the username and password, Logon Action accepts these values and 'presto' the user is in again.Is there a way to rebuild the subject from the session?Hi Mike, Yes, definitely: Subject subject = new Subject.That will check that hidden field to make sure it is the same number that was generated and put on the page for you in the other action class.