That's true. This topic belongs to web application security. The thing is that all static content are shown when you used the "back" button. Of course, you can't click any link since the session is already invalidated. Normally, you do all access control through the BaseAction class since all actions are dispached somehow from there. If you have a struts application, you can send a request something like: http://yourapplication/XXX.do and XXX is configured in your struts-config.xml, then you will see what happened. There will have some kind of exceptions throw out , but not a proper message like "page not existed", etc.
Laurie Harper <[EMAIL PROTECTED]> wrote: info3853 Bush wrote: > I noticed that in many web applications, after you logout from the > application, you can still use the browser "back" button to view some pages > you supposely shouldn't. Some web applications, like gmail, if you logout, > and click the back, it will always redirect the page to the login page. Some > other applications, even like ameritrade, it will allow you to view some > static content just visited. > > My question is that if there is any easy way in struts to configure after you > logout from application, using browser "back" button will always direct you > to the login page. As with any web application, Struts-based or otherwise, you need to secure the content you don't want to be re-visitable after logout, and make sure that as part of your logout processing you invalidate the current session and any authentication credentials you have stored elsewhere. For example, you could have a check on each request for an 'authenticated' token or flag in the session and if it's not present, redirect to a login page. Unfortunately, there's too many ways to approach this kind of thing to list here. Which are appropriate depend on your requirements. Try googling for 'web application security', you'll find *lots* of further reading on the topic. L. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free.