views:

159

answers:

4
+5  Q: 

Prevent IE caching

I am developing a Java EE web application using Struts. The problem is with Internet Explorer caching. If an user logs out he can access some pages because they are cached and no request is made. If I hit refresh it works fine. Also if an user goes to login page again it won't redirect him because that page is also cached.

Two solutions come to my mind:

  1. Writing an Interceptor (servlet filter like) to add to response header no-cache etc.
  2. Or or put <meta> tags at each page.

Which one should I do?

A: 

Modify the headers with no-cache etc. It is the usual way.

Femaref
So writing an interceptor is better...Could you tell me which headers to add? Because i see several headers that should be put
Parhs
+8  A: 

Rather set the following headers on the HttpServletResponse of the page(s) in question so that you don't need to copypaste it over all pages manually:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.

This is equivalent to setting the following meta headers in the page(s) manually:

<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">

Also see this answer. Don't forget to clear browser cache before testing ;)

BalusC
+4  A: 

I've found the following to work well:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);

From the tags on this question it looks like you are using Struts. Struts 1.x allows you to do this through configuration in struts-config.xml by setting nocache="true" on the controller element:

<controller processorClass="org.apache.struts.tiles.TilesRequestProcessor" nocache="true" />

Mark Nottingham's caching tutorial is the best resource I've seen on the web about HTTP and caching if you are looking to understand more.

That being said, depending on the problem you are seeing it might be a browser history issue. See here for more information about that.

laz
BTW: only the first three `Cache-Control` properties as shown in your example is sufficient, they (and the `Expires` header) already "implicitly" sets the subsequent properties to the desired values.
BalusC
We arrived at those values while researching a problem where users with Opera were able to view secure pages in their browser history after logging off and destroying their session. That value was used as a fix. I'm trying to find the original link that explained how those settings were arrived at but I haven't been able to so far. Perhaps it is overkill though given that I only learned about the differences between browser cache and browser history after that research.
laz
There was indeed a related Opera 8.x bug which was fixed halfway the previous decade. Also caching of a redirect wasn't done properly in this browser. But practically nobody uses Opera 8 nowadays.
BalusC
A: 

I have found that adding the no-cache headers does not always work on IE.

ziggy
Apparently you forgot the `Expires` header. See also the answers in this question.
BalusC