All pages are JSPs.
After added the samilar user check on sessionFilter.java class, now all
"back" action after logout will be directed to login page.
In this way, I don't need to add user check on each JSP pages.
Thanks for the hint.
Michael Jouravlev <[EMAIL PROTECTED]> wrote: Did you say pages are static
(HTML)? Or they are JSPs? Or does request
pass through Struts action? If they are not plain HTML, then in your
action or in JSP page check if user is logged in. If not, redirect to
login page.
Here is the simple scriptlet, that you should stick in the beginning
of every session-related page:
<%
if (session.getAttribute("USER") == null) {
response.sendRedirect("Login.do");
}
%>
Or you may want to write a guard tag, see Ted Husted's MailReader
sample application for details. Or you may want to write a servlet
filter.
Michael.
On 12/1/05, info3853 Bush wrote:
> Yes, I did that. Now all pages are blank. What I really wish is that after
> logout, when user hit "back" button, the page goes back to login page, never
> visit all pages visited before even just blank page now.
>
> Michael Jouravlev wrote: On 12/1/05, info3853 Bush wrote:
> > That's true. This topic belongs to web application security.
> >
> > The thing is that all static content are shown when you used the "back"
> button. Of course, you can't click any link since the session is already
> invalidated.
>
> Mark page as non-cachable with "no-cache, no-store" cache-control
> header. You may want to add some other headers too, like
> must-revalidate. When you hit Back, the browser would try to reload a
> page, here you would show the error.
>
> Michael.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------
Yahoo! Personals
Skip the bars and set-ups and start using Yahoo! Personals for free
