Try putting all of the Cache-Control commands inline, comma separated:
<meta http-equiv="Cache-Control" content="no-store,no-cache,must-revalidate">
<meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="-1"> You can also set the headers: <% response.setHeader("Cache-Control","no-cache,no-store,must-revalidate"); response.setHeader("Pragma","no-cache"); response.setDateHeader("Expires", -1); %>I'm not sure of the implications of using /login.jsp?error=true as an error page - though it was recently discussed on this list, you may wish to search the archives.
I usually place my login pages out of the way: WEB-INF/login/form.jsp WEB-INF/login/error.jsp so they can't be accessed directly. p (tip: send plain text mail to avoid crazy formatting) Luke McMahon wrote:
Hi there, I'm new to the list, just having some trouble getting my authentication to work with Firefox. I'm trying to protect access to a member area in my new website, and am just using the built in form based security for now. I'm using Tomcat 6.0.14, IE7 and Firefox 2.0.0.6.When attempting to access the member area (/members/) the user is to be redirected to /login.jsp. The error page is the same but with a parameter (/login.jsp?error=true). When using IE7, all of this works just fine and after successful login, the user is sent to /members/When using Firefox, when everything is freshly built it works the first time. If I then log out (using session.invalidate() and being redirected to the home page) and log in again it stopsworking. After a successful login the user is presented not with the /members/ page, but with the login page again. Hitting refresh actually gives us the page we're after, so it seems to be caching thelogin page 'as' the /members/ page. ------------
------------------------------Here is a section from my web.xml:------------------------------------------- <security-constraint> <display-name>Member Access</display-name> <web-resource-collection> <web-resource-name>Member Access Area</web-resource-name> <url-pattern>/members/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> <role-name>member</role-name> <role-name>student</role-name></auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Member Area</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?error=true</form-error-page> </form-login-config> </login-config> -----------------------------------------Here is my logout code:--------------------- --------------------
<% session.invalidate();response.sendRedirect("/"); %> ----------------------------------------Here is my login code:----------------------------------------- <form method="post" action='<%= response.encodeURL("j_security_check") %>' > <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="j_username" /></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="j_password" /></td> </tr> <tr> <td align="right"><input type="submit" value="Log In" /></td> <td align="left"><input type="reset" /></td> </tr> </table></form> Note: I've tried putting the following code at the top of my login.jsp and logout.jsp files but it doesn't seem to help: <% response.setHeader("Cache-Control","no-cache"); response.setHeader("Cache-Control","no-store"); response.setDateHeader("Expires", -1); response.setHeader("Pragma","no-cache");%> Thanks very much for any assistance, Luke.
smime.p7s
Description: S/MIME Cryptographic Signature