Never mind--I realized that the page was cached by the browser. If I refresh it, I get forwarded to login.
That does suggest to me, though, that in a Struts app where security matters, forms should always be delivered with a no-cache directive; otherwise it is possible to redisplay sensitive information after a user has logged out. > -----Original Message----- > From: Dennis Doubleday [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 10:44 AM > To: 'Struts Users Mailing List' > Subject: Unexpected login behavior in struts-example from 1.1b > > > So, I log in as "user" to the struts-example app, go to the > "Edit Subscription" page and bookmark it. (The bookmarked URL > is > http://foghorn:8088/struts-example/editSubscription.do?action= Edit&usern ame=user&host=mail.yahoo.com). Then I log out of the application. (I verified that I was logged out-the main menu offers a link to login.) Now I visit the bookmarked URL. At this point I expected to be directed to the login screen, because EditSubscriptionAction checks for an existing session with a user attribute. Instead, the Edit Subscription screen was displayed exactly as it was when I had an active session. ONLY when I tried to submit the form did I see the login screen. Why don't I get forwarded to "Login" right away? I am confused--the code seems to be there. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>