How to secure my Account after Logout?

Question

I have a situation- after I logout from a page if Someone click "Go Back" Button in a browser it automatic goes into back page again. In Logout.java (Servlet) I use:

session.invalidate();
request.getRequestDispatcher("index.jsp").forward(request,response);

all is working fine. But after logout if I click Go Back button(Upper Left Corner) in Browser it back where I was. I want to do if I click go back then it must be said Your session is Expiered or Login or something else. How to do it. Please give your valuable suggestion.
I just read about this & I create a servlet FilterURL.java:

public class FilterURL extends HttpServlet implements Filter {
    @Override
    public void init(FilterConfig config) throws ServletException {
    //
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
      HttpServletResponse hsr = (HttpServletResponse) res;
      hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
      hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
      hsr.setDateHeader("Expires", 0); // Proxies.
      chain.doFilter(req, res);
    }

    @Override
    public void destroy() {
    //
    }

    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    //
    }
}

And my web.xml:(under web-app)

<filter>
    <filter-name>FilterURL</filter-name>
    <filter-class>com.filter.url.sys.FilterURL</filter-class>
</filter>
<filter-mapping>
    <filter-name>FilterURL</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

But it wont working. What am i mistake??
I read it from this pages:

1. How to use a servlet filter in Java to change an incoming servlet request url?
2. Prevent user from seeing previously visited secured page after logout
3. http://tutorials.jenkov.com/java-servlets/servlet-filters.html
4. servlet session , after logout , when back button of browser is pressed , again the secure page is shown

Answer 1

Its done by this:

<script>
   history.forward();
</script>

Add this in <head> section of each page it will prevent this problem.

Answer 2

Use servlet Filter chaining for better security.

Source Oracle

Explanation is present on stack overflow

How to use a servlet filter in Java to change an incoming servlet request url?

For tutorials see this link.

http://viralpatel.net/blogs/tutorial-java-servlet-filter-example-using-eclipse-apache-tomcat/

A good one -- http://tutorials.jenkov.com/java-servlets/servlet-filters.html

Filters can perform many different types of functions. We'll discuss examples of the italicized items in this paper:

• Authentication-Blocking requests based on user identity.

• Logging and auditing-Tracking users of a web application.

• Image conversion-Scaling maps, and so on.

• Data compression-Making downloads smaller.

• Localization-Targeting the request and response to a particular locale.

• XSL/T transformations of XML content-Targeting web application responses to more that one type of client.

Read the offical docs http://www.oracle.com/technetwork/java/filters-137243.html

Answer 3

In filter

HttpSession session = request.getSession(false);
                                 // don't create if it doesn't exist
if(session != null && !session.isNew()) {
    chain.doFilter(request, response);
} else {
    response.sendRedirect("/index.jsp");
}

see checking session in servlet and jsp

Answer 4

Does it load the page from the server again? Then you need to check your user recognition and session code. Some hints have been given in the other answers.

If the page is in the browser's cache you are out of luck, the browser can show it again. After all, it is a local document.

But there are a few possible workarounds (if your user & session recognition works).

• Set the HTTP headers for expiration, cache-control so that the browser is advised to reload the page every time. Depends on how the browser behaves.
• Go all-JavaScript, i.e. build a Single-Page-Web-Application, thereby completely removing the back button functionality. Is a valid approach sometimes, but not everytime. When working with resources that should be reachable by unique URLs it is not.
• Do a redirect between the logout and the new page (like redirect-after-post), thereby a single click on the back button will lead the user to the redirect page and immediately again to the page you send the user to after a logout.
• Use some Ajax on every page to check if the user is still logged in; if not, redirect to the login page.