tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Tomcat 4 clears login parameters?
Date Sat, 18 May 2002 17:34:10 GMT

On Sat, 18 May 2002, Lawlor, Frank wrote:

> Date: Sat, 18 May 2002 01:00:11 -0500
> From: "Lawlor, Frank" <>
> Reply-To: Tomcat Users List <>
> To: "'Tomcat (E-mail)'" <>
> Subject: Tomcat 4 clears login parameters?
> One problem that Tomcat web apps have is that
> the login page remains in the browser history
> and if the user navigates to one
> of these and tries to use it, they get a rather
> incomprehensible result.
> In Tomcat 3.x we had a good solution (the only
> one I have been able to find anywhere) which
> depends upon setting a parameter to indicate
> that the page has been used (this is used by
> JavaScript) to write "Page invalidated" or whatever
> you want).
> Unfortunately Tomcat 4.x seems to clear all the
> parameters.  I suppose there may be some
> good security reason for clearing the username
> and password, but can't it leave other parameters
> alone?

Storing the username and password (from a form-based login) as attributes
visible to the application was a very poor design decision in 3.3.  You
have unfortunately gotten yourself dependent on a container-specific
implementation detail that isn't portable to anywhere else (even to other
Tomcat versions).

You should put the appropriate HTML meta tags at the top of your login
page to tell the browser not to cache the data -- that way, the user will
get an "expired" error if they try to resubmit it, the same as you could
do on any other form in the app when you want to avoid resubmits.

> Thanks,
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message