Just noticing something here, and ading my grain of salt :
Martin O'Shea wrote:
...
>
> The underlying principle here is that if multiple users use the same PC,
(with or without logging out/in ?)
and
> maybe even the same session in a browser, a single cookie is used to store a
> userid. Various system pages have a login facility and if invoked, the
> cookie is rewritten with the current user's id. But this is where the Back
> button issue occurs so it may be that session invalidation solve my
> problem.
>
I would tend to say that if multiple users use a PC, and they do not each login with their
own user-id, then the basic behaviour which you explain is to be expected.
These users share a single "user environment" on that PC, which includes the browser's
history, cookies, and much more that that under Windows (think "recent documents", desktop
etc..).
I am not sure that the issue then is at your application level or at the Tomcat level.
It is more at the general usage (and security) policies level.
Morality : don't do that.
If users do logout and login on that PC each with his own user-id, that issue would not
exist, because Windows keeps a separate "user profile" for each of these users, so they
would never share a cookie e.g.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|