注销后如何清除用户主体?
情况很简单:用户单击注销,转到 LogoutFilter 并:
HttpServletRequest hreq = (HttpServletRequest) request;
hreq.getSession(false).invalidate();
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.reset();
httpResponse.setHeader("Cache-Control", "no-cache");
httpResponse.setHeader("Pragma", "no-cache");
httpResponse.setHeader("Cache-Control", "no-store");
httpResponse.setHeader("Cache-Control", "must-revalidate");
httpResponse.setDateHeader("Expires", 0);
chain.doFilter(request, response);
并且在页面上显示登录链接。问题很简单:会话重新创建,但用户主体被缓存,因此不会显示登录弹出窗口,并且应用程序使用缓存的主体,因为 request.getUserPrincipals() 返回的不是 null 对象。
问题很简单:有没有办法也删除用户主体,以便浏览器在注销后要求重新登录?
The case is easy: user clicks logout, goes to LogoutFilter and:
HttpServletRequest hreq = (HttpServletRequest) request;
hreq.getSession(false).invalidate();
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.reset();
httpResponse.setHeader("Cache-Control", "no-cache");
httpResponse.setHeader("Pragma", "no-cache");
httpResponse.setHeader("Cache-Control", "no-store");
httpResponse.setHeader("Cache-Control", "must-revalidate");
httpResponse.setDateHeader("Expires", 0);
chain.doFilter(request, response);
And on page login link is shown. The problem is easy: session recreated, but user principals are chached, so no login popup is shown and application uses cached principals, because request.getUserPrincipals() returns not null object.
The question is simple: is there any way to remove user principals too, so browser asks to log in again after logout?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不要只是在注销时清除缓存,而是为您的应用程序设置一个过滤器,该过滤器始终将这些元值设置为响应,对于应用程序中页面的每个请求。这样,您的任何页面都不会被缓存。清除浏览器缓存并重试。这能解决什么问题吗?
Instead of just clearing the cache on logout, have a filter for your application that always sets those meta values to the response, for every request to a page in your application. This way, none of your pages will be cached. Clear your browser cache and try again. Does that fix anything?
当用户注销时,我会考虑在您使他们的会话无效后将他们重定向(使用 302 重定向)到“注销”页面。 “希望”能够阻止 request.getUserPrincipals() 返回任何内容。
顺便说一句,您正在执行的缓存工作对您的 Web 应用程序缓存没有任何作用。您所指定的是 Web 客户端和 Web 代理应如何考虑缓存该特定请求。因此,这些值在请求离开服务器并“进入野外”后使用。
When the user logs out I would consider redirecting them (using a 302 redirect) to a 'logged out' page after you've invalidated their session. That 'hopefully' will stop the request.getUserPrincipals() from returning anything.
BTW, the cache work that you're doing does nothing to your web applications cache. What you're specifiying there is how web clients and web proxies should consider caching that particual request. So, those values are used after the request leaves your server and goes out 'into the wild'.