tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin O'Shea" <>
Subject Session management issue with Tomcat
Date Sun, 18 Sep 2011 15:05:10 GMT


I have a situation where I'm using Tomcat 6.0.26 but the logging in / out of
the application is not authenticated via Tomcat's:


action='<%= response.encodeURL("j_security_check") %>' >




The current system allows cookies to store userids which are used to show
recent lists on the homepage of the application. So for a session, a user's
userid can be read from the cookie and used to retrieve their details from
the database and store them in the session, and render the hompage with its
personalised recent list. 


The user's id can also then be placed in the login username box with the
password stored in the session. 


But, in a single browser session, if the first user logs out, and another
user logs in, the cookie is re-written with the new user's userid. But,
because this is all in one browser session, use of the browser's back button
allows the new user to access the profile details of the first user if the
first user visited the page before logging off. 


No secure data is held in the system.


Can anyone suggest a way to change this? I am no expert on session



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message