from:"info3853 Bush"

Re: How to prevent URL cached

2005-12-02 Thread info3853 Bush

All pages are JSPs. 

  After added the samilar user check on sessionFilter.java class, now all  
"back" action after logout will be directed to login page. 
  In this way, I don't need to add user check on each JSP pages.

  Thanks for the hint.

Michael Jouravlev <[EMAIL PROTECTED]> wrote:  Did you say pages are static 
(HTML)? Or they are JSPs? Or does request
pass through Struts action? If they are not plain HTML, then in your
action or in JSP page check if user is logged in. If not, redirect to
login page.

Here is the simple scriptlet, that you should stick in the beginning
of every session-related page:

<%
   if (session.getAttribute("USER") == null) {
   response.sendRedirect("Login.do");
   }
%>

Or you may want to write a guard tag, see Ted Husted's MailReader
sample application for details. Or you may want to write a servlet
filter.

Michael.

On 12/1/05, info3853 Bush  wrote:
>  Yes, I did that. Now all pages are blank. What I really wish is that  after 
> logout, when user hit "back" button, the page goes back to login  page, never 
> visit all pages visited before even just blank page now.
>
> Michael Jouravlev  wrote:  On 12/1/05, info3853 Bush wrote:
> > That's true. This topic belongs to web application security.
> >
>  > The thing is that all static content are shown when you used the  "back" 
> button. Of course, you can't click any link since the session is  already 
> invalidated.
>
> Mark page as non-cachable with "no-cache, no-store" cache-control
> header. You may want to add some other headers too, like
> must-revalidate. When you hit Back, the browser would try to reload a
> page, here you would show the error.
>
> Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
 Yahoo! Personals
 Skip the bars and set-ups and start using Yahoo! Personals for free

Re: How to prevent URL cached

2005-12-01 Thread info3853 Bush

Yes, I did that. Now all pages are blank. What I really wish is that after 
logout, when user hit "back" button, the page goes back to login page, never 
visit all pages visited before even just blank page now.

Michael Jouravlev <[EMAIL PROTECTED]> wrote:  On 12/1/05, info3853 Bush wrote:
> That's true. This topic belongs to web application security.
>
> The thing is that all static content are shown when you used the "back" 
> button. Of course, you can't click any link since the session is already 
> invalidated.

Mark page as non-cachable with "no-cache, no-store" cache-control
header. You may want to add some other headers too, like
must-revalidate. When you hit Back, the browser would try to reload a
page, here you would show the error.

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
 Yahoo! Personals
 Single? There's someone we'd like you to meet.
 Lots of someones, actually. Try Yahoo! Personals

Re: How to prevent URL cached

2005-12-01 Thread info3853 Bush

That's true. This topic belongs to web application security.

  The thing is that all static content are shown when you used the "back" 
button. Of course, you can't click any link since the session is already 
invalidated.

  Normally, you do all access control through the BaseAction class since all 
actions are dispached somehow from there. If you have a struts application, you 
can send a request something like:
  http://yourapplication/XXX.do and XXX is configured in your 
struts-config.xml, then you will see what happened. There will have some
  kind of exceptions throw out , but not a proper message like "page not 
existed", etc. 

Laurie Harper <[EMAIL PROTECTED]> wrote:
  info3853 Bush wrote:
> I noticed that in many web applications, after you logout from the 
> application, you can still use the browser "back" button to view some pages 
> you supposely shouldn't. Some web applications, like gmail, if you logout, 
> and click the back, it will always redirect the page to the login page. Some 
> other applications, even like ameritrade, it will allow you to view some 
> static content just visited.
> 
> My question is that if there is any easy way in struts to configure after you 
> logout from application, using browser "back" button will always direct you 
> to the login page.

As with any web application, Struts-based or otherwise, you need to 
secure the content you don't want to be re-visitable after logout, and 
make sure that as part of your logout processing you invalidate the 
current session and any authentication credentials you have stored 
elsewhere.

For example, you could have a check on each request for an 
'authenticated' token or flag in the session and if it's not present, 
redirect to a login page.

Unfortunately, there's too many ways to approach this kind of thing to 
list here. Which are appropriate depend on your requirements. Try 
googling for 'web application security', you'll find *lots* of further 
reading on the topic.

L.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
 Yahoo! Music Unlimited - Access over 1 million songs. Try it free.

How to prevent URL cached

2005-12-01 Thread info3853 Bush

 I noticed that in many web applications,  after you logout from the 
application, you can still use the browser  "back" button to view some pages 
you supposely shouldn't. Some web  applications, like gmail, if you logout, and 
click the back, it will  always redirect the page to the login page. Some other 
applications,  even like ameritrade, it will allow you to view some static 
content  just visited.
  
  My question is that if there is any easy way in struts to configure  after 
you logout from application, using browser "back" button will  always direct 
you to the login page.
  


-
 Yahoo! Music Unlimited - Access over 1 million songs. Try it free.

Re: How to prevent the login information cached

2005-10-27 Thread info3853 Bush

Hi, Michael,

What you suggest works fine. In this way, the URL is
changed from login.do to login.jsp. And in jsp, all
user information has been reinitialized so user has to
provide login information.

Thanks,

Bush

--- Michael Jouravlev <[EMAIL PROTECTED]> wrote:

> On 10/26/05, info3853 Bush <[EMAIL PROTECTED]>
> wrote:
> > I had a web application based on struts framework.
> Recently, I found that after you logout, you use the
> browser back button back to the login.do
> > page, the page shows the Page Time Out, however,
> if you click the refresh button, the page
> automatically login to the application without ask
> you any user information. Anyone has idea to handle
> this situation?
> 
> After you log in, you must redirect to the success
> page instead of
> forwarding to it.
> 
> What probably happens in your case, you log in and
> forward to success
> page. At this point success page is addressed with
> prior login
> request, so if you refresh success page, you will
> reinvoke login
> request. After you log in, you go back to success
> page and reload it,
> which reinvokes login request and bam, you logged in
> again.
> 
> Michael.
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [OT] Re: How to prevent the login information cached

2005-10-27 Thread info3853 Bush

Thanks for the information.

Unfortunately, we did exactly the same as described.
The thing is that Window 2000 allows login formation
cached. When you use the back button to the point
where
URL is something like
http://xxxDomain/applicationName/logon.do
and you refresh the page, windown will ask you if you
want to resend the information, if you hit yes, then
the cached user and password information will send to
your webserver with a new session id(this will not
directly go through your login page, instead just
login action with the cached user information).

--- Hotmail <[EMAIL PROTECTED]> wrote:

> why not have a action configured for logoff in
> struts-config.zml
>path="/logoff"
>  
>
type="org.apache.struts.webapp.example.LogoffAction">
>path="/WEB-INF/jsp/index.jsp"/>
> 
> 
> then somewhere inside LogoffAction class invalidate
> your session and 
> redirect to your index.jsp
> e.g.
> public class LogoffAction extends Action
> {
> public ActionForward execute( ActionMapping
> actionMapping,
> ActionForm actionForm, HttpServletRequest
> httpServletRequest,
> HttpServletResponse httpServletResponse )
> { //start execute
>HttpSession session =
> httpServletRequest.getSession( false );
>if ( session != null )
>   {
>  session.invalidate();
>   }
> //go to index.jsp
>  return actionMapping.findForward( "success" );
>   } //end execute
> }  //end LogoffAction
> - Original Message - 
> From: "info3853 Bush" <[EMAIL PROTECTED]>
> To: "Struts Users Mailing List"
> 
> Sent: Wednesday, October 26, 2005 1:13 PM
> Subject: Re: [OT] Re: How to prevent the login
> information cached
> 
> 
> > In my logout method, we use the
> session.invalidate(); method and redirect 
> > the page to login page again.
> >
> > Dave Newton <[EMAIL PROTECTED]> wrote:info3853
> Bush wrote:
> >
> >>Anyone has idea to handle this situation?
> >>
> >>
> > Sounds like your logout method is broken.
> >
> > Dave
> >
> >
> >
> >
>
-
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> >
> > __
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com 
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [OT] Re: How to prevent the login information cached

2005-10-26 Thread info3853 Bush

In my logout method, we use the session.invalidate(); method and redirect the 
page to login page again.

Dave Newton <[EMAIL PROTECTED]> wrote:info3853 Bush wrote:

>Anyone has idea to handle this situation?
> 
>
Sounds like your logout method is broken.

Dave

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

How to prevent the login information cached

2005-10-26 Thread info3853 Bush

I had a web application based on struts framework. Recently, I found that after 
you logout, you use the browser back button back to the login.do
page, the page shows the Page Time Out, however, if you click the refresh 
button, the page automatically login to the application without ask you any 
user information. Anyone has idea to handle this situation?
 
Thanks,



-
 Yahoo! FareChase - Search multiple travel sites in one click.

Re: How to prevent URL cached

Re: How to prevent URL cached

Re: How to prevent URL cached

How to prevent URL cached

Re: How to prevent the login information cached

Re: [OT] Re: How to prevent the login information cached

Re: [OT] Re: How to prevent the login information cached

How to prevent the login information cached

8 matches

Site Navigation

Mail list logo

Footer information