Hi All,
I have searched around looking for information on invalidating a users session such that the browsers back button cannot be used to revisit pages. Using
FacesContext context = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) context.getExternalContext().getSession(false);
session.invalidate();
I thought may work but the browsers back button can still access page information. I also use a filter to check on users status which works as it should to make sure the user has logged in correctly. Properly invalidating the session is a problem.
Any guidance appreciated.
Jim
