struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurie Harper <lau...@holoweb.net>
Subject Re: How to prevent URL cached
Date Fri, 02 Dec 2005 00:55:33 GMT
Or use container managed security (which, I think, can be used for 
static as well as dynamic content?)... Like I said, there are a lot of 
options... ;-)

Michael Jouravlev wrote:
> Did you say pages are static (HTML)? Or they are JSPs? Or does request
> pass through Struts action? If they are not plain HTML, then in your
> action or in JSP page check if user is logged in. If not, redirect to
> login page.
> 
> Here is the simple scriptlet, that you should stick in the beginning
> of every session-related page:
> 
> <%
>    if (session.getAttribute("USER") == null) {
>        response.sendRedirect("Login.do");
>    }
> %>
> 
> Or you may want to write a guard tag, see Ted Husted's MailReader
> sample application for details. Or you may want to write a servlet
> filter.
> 
> Michael.
> 
> On 12/1/05, info3853 Bush <info3853@yahoo.com> wrote:
>> Yes, I did that. Now all pages are blank. What I really wish is that after logout,
when user hit "back" button, the page goes back to login page, never visit all pages visited
before even just blank page now.
>>
>> Michael Jouravlev <jmikus@gmail.com> wrote:  On 12/1/05, info3853 Bush wrote:
>>> That's true. This topic belongs to web application security.
>>>
>>> The thing is that all static content are shown when you used the "back" button.
Of course, you can't click any link since the session is already invalidated.

>> Mark page as non-cachable with "no-cache, no-store" cache-control
>> header. You may want to add some other headers too, like
>> must-revalidate. When you hit Back, the browser would try to reload a
>> page, here you would show the error.
>>
>> Michael.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message