Did you say pages are static (HTML)? Or they are JSPs? Or does request
pass through Struts action? If they are not plain HTML, then in your
action or in JSP page check if user is logged in. If not, redirect to
login page.
Here is the simple scriptlet, that you should stick in the beginning
of every session-related page:
<%
if (session.getAttribute("USER") == null) {
response.sendRedirect("Login.do");
}
%>
Or you may want to write a guard tag, see Ted Husted's MailReader
sample application for details. Or you may want to write a servlet
filter.
Michael.
On 12/1/05, info3853 Bush <[EMAIL PROTECTED]> wrote:
> Yes, I did that. Now all pages are blank. What I really wish is that after
> logout, when user hit "back" button, the page goes back to login page, never
> visit all pages visited before even just blank page now.
>
> Michael Jouravlev <[EMAIL PROTECTED]> wrote: On 12/1/05, info3853 Bush wrote:
> > That's true. This topic belongs to web application security.
> >
> > The thing is that all static content are shown when you used the "back"
> > button. Of course, you can't click any link since the session is already
> > invalidated.
>
> Mark page as non-cachable with "no-cache, no-store" cache-control
> header. You may want to add some other headers too, like
> must-revalidate. When you hit Back, the browser would try to reload a
> page, here you would show the error.
>
> Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
