That's true. This topic belongs to web application security.
The thing is that all static content are shown when you used the "back"
button. Of course, you can't click any link since the session is already
invalidated.
Normally, you do all access control through the BaseAction class since all
actions are dispached somehow from there. If you have a struts application, you
can send a request something like:
http://yourapplication/XXX.do and XXX is configured in your
struts-config.xml, then you will see what happened. There will have some
kind of exceptions throw out , but not a proper message like "page not
existed", etc.
Laurie Harper <[EMAIL PROTECTED]> wrote:
info3853 Bush wrote:
> I noticed that in many web applications, after you logout from the
> application, you can still use the browser "back" button to view some pages
> you supposely shouldn't. Some web applications, like gmail, if you logout,
> and click the back, it will always redirect the page to the login page. Some
> other applications, even like ameritrade, it will allow you to view some
> static content just visited.
>
> My question is that if there is any easy way in struts to configure after you
> logout from application, using browser "back" button will always direct you
> to the login page.
As with any web application, Struts-based or otherwise, you need to
secure the content you don't want to be re-visitable after logout, and
make sure that as part of your logout processing you invalidate the
current session and any authentication credentials you have stored
elsewhere.
For example, you could have a check on each request for an
'authenticated' token or flag in the session and if it's not present,
redirect to a login page.
Unfortunately, there's too many ways to approach this kind of thing to
list here. Which are appropriate depend on your requirements. Try
googling for 'web application security', you'll find *lots* of further
reading on the topic.
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
