1

I am working on a JSF 2.1 application.

A user login successfully and arrives to home page. Then clicking on browser's back button, it redirects to login page and after that it is possible to navigate to home page again using browser's forward button.

Currently this is marked as a improper session management issue in a security audit as "It was possible to re-initiate the login session when we performed backward/forward refresh submission.".

How to fix this issue i.e logout the user when arriving to login page via URL / browser's back button?

Here user is logged in . but the case touched in the solution is when user is logged out.

SuryaN
  • 11
  • 4
  • @BalusC I had tried the same and already implemented by adding proper response header in the request filter. but on pressing back/forward button HTTP Reqest is send .As the solution provided by " Avoid back button on JSF web application " is solution when user is logged out. here the user is not logged out. but pressing back button move out to login page and on clicking forward button user can access the home page . this is a security issue which is marked during security audit. – SuryaN Mar 07 '18 at 08:34
  • After authentication we return this URL /home/home.xhtml?faces-redirect=true&includeViewParams=true and then request filter creates a new sessionid . – SuryaN Mar 07 '18 at 09:48

0 Answers0