Spring Security Logout

Question

Hi. I ahve a webapplication running on Spring Webflow with spring security. I have a pronlem logging out because my app kinnda remembers the las page after logging out such that. When I press back or direclty paste the URL to the address bar it can direct the page to the login page but if I login it will go directly to the last page I went to before logging out. It tends to remember it''s last state. Below is my application-config snippet.

 <security:logout logout-url="/logout.do" invalidate-session="true" 
  logout-success-url="/logoutSuccess.do" />

Link in my page

      <a href="logout.do">#{label.labellogout}</a>

Answer 1

Not sure that I correctly understand your problem but:

B.1.1.4. session-fixation-protection Indicates whether an existing session should be invalidated when a user authenticates and a new session started. If set to "none" no change will be made. "newSession" will create a new empty session. "migrateSession" will create a new session and copy the session attributes to the new session. Defaults to "migrateSession". If enabled this will add a SessionFixationProtectionFilter to the stack. The session fixation protection options on namespace-created instances of AbstractProcessingFilter will also be set appropriately.

Can be read here link

Answer 2

The expired-url attribute

The URL a user will be redirected to if they attempt to use a session which has been "expired" by the concurrent session controller because the user has exceeded the number of allowed sessions and has logged in again elsewhere. Should be set unless exception-if-maximum-exceeded is set. If no value is supplied, an expiry message will just be written directly back to the response.

Sounds like your session is still valid after an Logout. try to make it invalid after logout.

Text is from: Spring Doc