Disable Browser Caching in JSF
Posted by David Chandler on August 8, 2006
Browser caching of page content has negative security implications when your application runs on shared terminals (like the public library). You can turn it off with this simple phase listener. Well, maybe. As some of the comments indicate, browsers are finicky, and of course, we never trust the browser, anyway, so using this technique is certainly not a security guarantee of any kind.
package my.util;
import javax.faces.context.FacesContext;
import javax.faces.event.PhaseEvent;
import javax.faces.event.PhaseId;
import javax.faces.event.PhaseListener;
import javax.servlet.http.HttpServletResponse;
public class CacheControlPhaseListener implements PhaseListener
{
public PhaseId getPhaseId()
{
return PhaseId.RENDER_RESPONSE;
}
public void afterPhase(PhaseEvent event)
{
}
public void beforePhase(PhaseEvent event)
{
FacesContext facesContext = event.getFacesContext();
HttpServletResponse response = (HttpServletResponse) facesContext
.getExternalContext().getResponse();
response.addHeader("Pragma", "no-cache");
response.addHeader("Cache-Control", "no-cache");
// Stronger according to blog comment below that references HTTP spec
response.addHeader("Cache-Control", "no-store");
response.addHeader("Cache-Control", "must-revalidate");
// some date in the past
response.addHeader("Expires", "Mon, 8 Aug 2006 10:00:00 GMT");
}
}
To register the phase listener, just add this to your faces-config.xml:
<lifecycle> <phase-listener id="nocache">my.util.CacheControlPhaseListener</phase-listener> </lifecycle>
TurboManage 
Ward said
Thanks for the code man, I am having some issues with the back button /JSF and this is exactly the code I need. Much appreciated…
Sushma said
Thanks a lot…. It works like a charm…
Lowster said
Worked a treat, thanks.
hermes said
I am having some issues with Firefox.
Sam said
do you have a jsf example to trigger this CacheControlPhaseListener ? thanks.
turbomanage said
Sam,
I’ve now packaged it in a jar and included a link to the download in this post. Just drop the jar under WEB-INF/lib for your application. There’s nothing else you have to do to enable it. If you use a proxy tool like Paros, you’ll be able to see the no-cache headers getting written for each request.
/dmc
Garima said
where is the link for jar files?
Sam said
Hi:
I am using myfaces tobago. would there be any configuration need to do? where is the links to get the jar file? thanks again
Sam said
do I need to add the below config into my existing faces-config.xml? I tried your suggestion above and did not work. thanks agian
com.learnjsf.util.nocache.CacheControlPhaseListener
JR said
Interesting that this gets called but does not write into the response. I threw a logger in there to make sure that its getting called but the headers don’t show up in the response.
Any thoughts on this?
Thanks
SwappeR said
What about Firefox 1.5? The code doesn’t work for it, it works only for IE6. Is there any solution for Firefox?
Peter Sramka said
THERE IS A FLAW WITH THIS TECHNIQUE.
Here is a quote from the HTTP 1.1 specification describing the “no-cache” header:
no-cache
If the no-cache directive does not specify a field-name, then a
cache MUST NOT use the response to satisfy a subsequent request
without successful revalidation with the origin server. This
allows an origin server to prevent caching even by caches that
have been configured to return stale responses to client requests.
If the no-cache directive does specify one or more field-names,
then a cache MAY use the response to satisfy a subsequent request,
subject to any other restrictions on caching. However, the
specified field-name(s) MUST NOT be sent in the response to a
subsequent request without successful revalidation with the origin
server. This allows an origin server to prevent the re-use of
certain header fields in a response, while still allowing caching
of the rest of the response.
Note: Most HTTP/1.0 caches will not recognize or obey this
directive.
When this response header is used without any field-name, then the cache is still allowed to store the response. It just can not re-use that response “without successful revalidation with the origin server.” Therefore, the stated aim of preventing “negative security implications when your application runs on shared terminals (like the public library)” is not achieved, since sensitive data may still be store on the shared terminal.
Consider the use of the “no-store” header, which is more secure, but still not a guarantee of security. Here is a quote from the HTTP 1.1 specification describing the “no-store” header:
no-store
The purpose of the no-store directive is to prevent the
inadvertent release or retention of sensitive information (for
example, on backup tapes). The no-store directive applies to the
entire message, and MAY be sent either in a response or in a
request. If sent in a request, a cache MUST NOT store any part of
either this request or any response to it. If sent in a response,
a cache MUST NOT store any part of either this response or the
request that elicited it. This directive applies to both non-
shared and shared caches. “MUST NOT store” in this context means
that the cache MUST NOT intentionally store the information in
non-volatile storage, and MUST make a best-effort attempt to
remove the information from volatile storage as promptly as
possible after forwarding it.
Even when this directive is associated with a response, users
might explicitly store such a response outside of the caching
system (e.g., with a “Save As” dialog). History buffers MAY store
such responses as part of their normal operation.
The purpose of this directive is to meet the stated requirements
of certain users and service authors who are concerned about
accidental releases of information via unanticipated accesses to
cache data structures. While the use of this directive might
improve privacy in some cases, we caution that it is NOT in any
way a reliable or sufficient mechanism for ensuring privacy. In
particular, malicious or compromised caches might not recognize or
obey this directive, and communications networks might be
vulnerable to eavesdropping.
InterJSF said
I am getting the following error when I dropped the jar in my web-inf/lib directory –
[STDOUT] ERROR PhaseListenerManager – Exception in PhaseListener RENDER_RESPONSE(6) beforePhase.
java.lang.ClassCastException: org.jboss.portlet.JBossRenderResponse
at com.learnjsf.util.nocache.CacheControlPhaseListener.beforePhase(CacheControlPhaseListener.java:16)
Alain O'Dea said
What about scalability? Is it really wise to disable all HTTP caching? Any reasonable web framework should let you configure domain-aware HTTP caching to reduce unnecessary load on the app and datastore.
sue said
I use this code, half work, and half does not work.
My application: on the left side use tree for the menu, when I click the back button, the page is rollback, but the menu is not.
any idea?
Thanks,
Murtaza said
I was trying exactly the same concept using Servlet Filter and it was not working. Thank you.
Akram Badr said
I try to use this but i think it does not work correctly
for example if I have web site contain a login page and after login page main page contain menu on left hand site if I clicked on menu link 1 ==> you will navigate to page 1 then click menu link 2 ==> you will navigate to page 2 then use back you will get page 1 not ==> page has expired (which is not correct), if you use back again you will get page has expired
Any help please
turbomanage said
You might try adding some logging statements to verify that the phase listener is being invoked on the transition from page 1 to page 2. Or use a Firefox plugin like TamperData to verify that the no-cache headers are being set correctly. Also try other browsers.
Pradip said
Hey i’m facing the same problem.
i have scenario like
user goes to Search page , from there go to detail page , edit it, save it.
now if i do back…it works fine in Firefox which takes me to edit page.
but in IE it displays “page has expired”..
Jigar said
adding this jar into my project didnt work ..
it is same as when jar was not present..
when user clicks on sign out button he/she will be navigated to logoutpage where session will be destroyed..
and then he/she will be forwarded to home page ..
but as user clicks back button he gets all the pages..which he must not..
browser :firefox 3.0
Jigar said
it isnt working …
by just putting it into current project.
JSF/ADF and the browsers’ back button | Oracle said
[…] no-caching on your web application using the phaselistener (jsf […]
David Chandler said
I updated this post to incorporate some of the comments and remove a dead link.
kamaraju said
will it work for firefox
kamaraju said
i have tried in it its not working with fire fox how to resolve it ..
David Chandler said
Take a look at http://forums.sun.com/thread.jspa?threadID=5404787
JSF/ADF and the browsers’ back button « iAdvise blog said
[…] no-caching on your web application using the phaselistener (jsf […]
Ibra said
it works thank. You save the day.
Al said
Very helpful code. It did the job for my req. Thanks.
Justin said
Very useful code. Thanks for sharing
Om said
Hi,
I tried ur code and it worked fine. I just wanted to know waht if I have multiple faces-config.xml. For me it is working fine by just including it in one but is there anything more I need to do.
David Chandler said
Nope. The phase listener just needs to be registered one place.
Om said
thanks… the code rocks……..
Rajasekhar said
Very useful code. I need one more help when we click of F5 or browser refresh in jsf application it should come out to LogOut page.
In Rich faces how to do this one? and also how to hide JSESSiONID in URL?
Juan said
I was really need it this :).
Im using icefaces, i did a asyncronic shopping cart and when i added an item and navigate to other section and pressed the back button the item that i preview added didnt appear in screen but it was on session scope.
I did also a asyncronic login and i had the same issue.
Now everything is working. Thank you so much, i test it in Mozilla 5.0 and IE 7
Vikas said
Excellent Post, just worked fine for me.
Sanket Saxena said
Thanks David, I have faced same problem. It works with your posted code
Sanket Saxena said
Thanks David for putting a great suggestion, It help us to overcome from various cache problem.
Sanket Saxena said
Hi Devid,
I have implemented your posted code, and this is working perfectly in all browsers except IE6. Have you any idea or suggestion to overcome from this problem (IE6 browser cache issue)
David Chandler said
Yep. Put in some code to detect IE6 and redirect the user to whatbrowser.org;-)
Maroc annonces said
ther are another way to do this:
FacesContext facesContext = event.getFacesContext();
HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();
response.addHeader(“Pragma”, “no-cache”);
response.addHeader(“Cache-Control”, “no-cache”);
response.setHeader(“Cache-Control”, “no-store”);
response.addHeader(“Cache-Control”, “must-revalidate”);
Evgeni Reingold said
Excellent – works perfectly fine.
Neeraj Kumar Sharma said
You can Add this also Thanks Man
FacesContext facesContext = event.getFacesContext();
HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext()
.getResponse();
response.setHeader(“Cache-control”, “no-cache”); // HTTP 1.1
response.setHeader(“Cache-control”, “no-store”); // HTTP 1.1
response.setHeader(“Cache-control”, “must-revalidate”); // HTTP 1.1
// response.setHeader(“Pragma”,”no-cache”); //HTTP 1.0
response.setHeader(“Allow”, “GET”); // Allowing GET Method only
response.setHeader(“Allow”, “POST”);// Allowing POST Method only
response.setDateHeader(“Expires”, -1); // prevent caching at the proxy server
alex said
Bueno tengo un problema tratando de evitar cuando den F5 en el navegador reenvie la solicitud a mi servlet lo cual no debe de pasar, podrian explicarme como es que funciona esto por favor.
donde tendria que ponerlo en el dopost o en el formulario jsp.?
entre etiquetas etc…
FacesContext facesContext = event.getFacesContext();
HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext()
.getResponse();
response.setHeader(“Cache-control”, “no-cache”); // HTTP 1.1
response.setHeader(“Cache-control”, “no-store”); // HTTP 1.1
response.setHeader(“Cache-control”, “must-revalidate”); // HTTP 1.1
// response.setHeader(“Pragma”,”no-cache”); //HTTP 1.0
response.setHeader(“Allow”, “GET”); // Allowing GET Method only
response.setHeader(“Allow”, “POST”);// Allowing POST Method only
response.setDateHeader(“Expires”, -1); // prevent caching at the proxy server
surtep said
Don’t fool yourself…the previous page expires only the first time.
You enter on the old url again of your app it still go to it!
The cache gets recreated by your browser.
JSF 2 don’t cache static assets .css and .js | active questions php said
[…] I have in place a phase listener, basically a slightly modified version of this https://turbomanage.wordpress.com/2006/08/08/disable-browser-caching-in-jsf/ […]
How to disable caching of static assets like .css and .js in JSF2? | active questions php said
[…] I have in place a phase listener, basically a slightly modified version of this https://turbomanage.wordpress.com/2006/08/08/disable-browser-caching-in-jsf/ […]
Naveen said
I have implemented it using filters
web.xml modifications
BrowserCacheHandlerFilter
com.legaledcenter.util.BrowserCacheHandlerFilter
BrowserCacheHandlerFilter
Faces Servlet
BrowserCacheHandlerFilter–>
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
String path = ((HttpServletRequest) servletRequest).getServletPath();
if(!path.startsWith(“/javax”) ){
HttpServletResponse res = (HttpServletResponse) servletResponse;
res.setHeader(“Cache-Control”, “no-cache, no-store, must-revalidate”); // HTTP 1.1.
res.setHeader(“Pragma”, “no-cache”); // HTTP 1.0.
res.setDateHeader(“Expires”, 0); // Proxies.
}
filterChain.doFilter(servletRequest, servletResponse);
}
nanajoe said
thanks a lot! it works perfectly
Thiruppathi said
hi friend…
how to session logout the copied url from one tab to another tab in same browser…plz help me
thanks in advance
by thiru
hkcoderh said
Nicely written and explained.
I tried you code, i have done the same process as explained above. But, still my JSF Page is maintaining session. I tried in FireFox + IE.
Could you suggest anything?
Hitesh said
I tried this code in JSF 2.0. But not working for it. I checked in firefox and iE.
aarif said
when i am using this code then i am not able to login into my application why so…..
aarif said
@Override
public void doHeaders(RenderRequest request, RenderResponse response)
{
logger.debug(“>> LoginPortlet:::doHeaders()”);
logger.debug(“>> LoginPortlet:::doHeaders() “+request+””+response);
Element resElement = response.createElement(“link”);
resElement.setAttribute(“Pragma”, “no-cache”);
resElement.setAttribute(“Cache-Control”, “no-cache”);
resElement.setAttribute(“Cache-Control”, “no-store”);
resElement.setAttribute(“Cache-Control”, “must-revalidate”);
resElement.setAttribute(“Expires”, “-1”);
response.addProperty(MimeResponse.MARKUP_HEAD_ELEMENT,resElement);
logger.debug(“<“+resElement.getAttribute(“Pragma”));
logger.debug(“<“+resElement.getAttribute(“Cache-Control”));
logger.debug(“<< LoginPortlet:::doHeaders()");
}
aarif said
add below code in portlet.xml…..
javax.portlet.renderHeaders
true
now enjoy clear cache, dont forget to paste above method
David Chandler said
Thanks, aarif. Which portal(s) have you tested with?
aarif said
Hi David,
welcome..i have tested it on GateIn-3.5.0.Final-jbossas7 portal with jsr286 .
golf now las vegas said
I’m extremely impressed along with your writing talents as well as with the structure in your blog. Is that this a paid subject or did you modify it yourself? Either way keep up the excellent high quality writing, it’s uncommon to look
a great weblog like this one nowadays..
wiggin said
Thanks that solves my problem with my views that fetch data from the database, it was concerning, because when the data changed into database the view still remained without any change. I was already began to guess that the problem lies into browser cache, now i can confirm it.
aarif said
David can i have your email id.?
regards,
aarif mohammad
http://www.javatechnologycenter.com
David Chandler said
I generally only answer questions on the blog for the benefit of everyone, but if you want to hire me, you can get my email from the DMC page.
Imran said
it is working fine.
thanks so much
boris said
its working for me too
thanks a lot
jsf 2.2.8
Gheo said
it’s had been writing since 2006 and until 2017 it’s working.
Thanks, you save my life.
David Chandler said
Glad to help, Gheo. It remains my most popular blog post ever.