Expired session: use 403 Forbidden instead of 410 Gone (#11859)

Use 403 Forbidden instead of 410 Gone when session expired. Also prevent caching in more cases.

2 files changed, 15 insertions, 8 deletions

diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java
index 7db1a4fd55..4f01820868 100644
--- a/server/src/main/java/com/vaadin/server/VaadinService.java
+++ b/server/src/main/java/com/vaadin/server/VaadinService.java
@@ -1759,7 +1759,15 @@ public abstract class VaadinService implements Serializable {
                  * endless loop. This can at least happen if refreshing a
                  * resource when the session has expired.
                  */
-                response.sendError(HttpServletResponse.SC_GONE,
+
+                // Ensure that the browser does not cache expired responses.
+                // iOS 6 Safari requires this (#3226)
+                response.setHeader("Cache-Control", "no-cache");
+                // If Content-Type is not set, browsers assume text/html and may
+                // complain about the empty response body (#4167)
+                response.setHeader("Content-Type", "text/plain");
+
+                response.sendError(HttpServletResponse.SC_FORBIDDEN,
                         "Session expired");
             }
         } catch (IOException e) {
diff --git a/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java b/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
index 07ab402514..8733c7b58c 100644
--- a/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
@@ -62,10 +62,10 @@ public class HeartbeatHandler extends SynchronizedRequestHandler
         if (ui != null) {
             ui.setLastHeartbeatTimestamp(System.currentTimeMillis());
             // Ensure that the browser does not cache heartbeat responses.
-            // iOS 6 Safari requires this (#10370)
+            // iOS 6 Safari requires this (#3226)
             response.setHeader("Cache-Control", "no-cache");
             // If Content-Type is not set, browsers assume text/html and may
-            // complain about the empty response body (#12182)
+            // complain about the empty response body (#4167)
             response.setHeader("Content-Type", "text/plain");
         } else {
             response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -88,15 +88,14 @@ public class HeartbeatHandler extends SynchronizedRequestHandler
         if (!ServletPortletHelper.isHeartbeatRequest(request)) {
             return false;
         }
-
-        // Ensure that the browser does not cache expired response.
-        // iOS 6 Safari requires this (#10370)
+        // Ensure that the browser does not cache expired heartbeat responses.
+        // iOS 6 Safari requires this (#3226)
         response.setHeader("Cache-Control", "no-cache");
         // If Content-Type is not set, browsers assume text/html and may
-        // complain about the empty response body (#12182)
+        // complain about the empty response body (#4167)
         response.setHeader("Content-Type", "text/plain");
 
-        response.sendError(HttpServletResponse.SC_NOT_FOUND, "Session expired");
+        response.sendError(HttpServletResponse.SC_FORBIDDEN, "Session expired");
         return true;
     }
 }