HTML Cache Control

This problem occurs when controlling URL permissions.
User A has permission to access menu.
User B has no access to menu.
After logging on to the system, user a directly enters the URL of menu A, which can be accessed.
User A exits.
After logging on to the system, user B directly enters the URL of menu A, which cannot be accessed.
Go to the logon page.
At this point, after user a logs in, he directly enters the URL of menu A, which cannot be accessed (and no request is sent to the server for this URL ).
Why does this happen?
Is the session not cleared?
If you do not have the permission, the following code is executed:
// No permission. Clear the value in the session.
Session. invalidate ();
String url = request. getcontextpath ();
Response. setcontenttype ("text/html; charset = UTF-8 ");
// Response. setheader ("Pragma", "No-Cache ");
// Response. setheader ("cache-control", "No-Cache ");
// Response. setdateheader ("expires", 0 );
Printwriter out = response. getwriter ();
Out. Print ("<meta http-equiv = 'content-type' content = 'text/html; charset = UTF-8 '> ");
Out. Print ("<SCRIPT> ");
Out. Print ("alert ('you do not have sufficient permissions to perform this operation! ');");
Out. Print ("parent.doc ument. Location. href = '" + URL + "';");
Out. Print ("</SCRIPT> ");
Out. Close ();
At the same time, if you Disable IE and re-use user a to log on to access menu A, you can.
According to the analysis, it is considered as follows:
This code is executed for the first time when you have no access permission.
Then, the content of the URL without permission is replaced with the content of the Static Page (HTML) formed by the above Code.
Remember that IE has such a function. The client sends a request to the server for the first time, and the server responds. After receiving the request, the client stores the request in the current session cache.
When the client finds the same request to the server for the second time, in fact, ie does not immediately send a request to the server, but first queries the local cache,
Whether the content of the same request exists. If yes, the system returns the content directly. If no content exists (the previous request has expired at the moment), the system sends a request to the server again.
This is the reason for this situation.
Then, when the HTML content is formed, add relevant attributes in the Response Header (set the response to no Cache Control) as follows:
Response. setheader ("Pragma", "No-Cache ");
Response. setheader ("cache-control", "No-Cache ");
Response. setdateheader ("expires", 0 );
At this time, it sends a request to the server every time it accesses a menu with the same No permissions.