Just noticing something here, and ading my grain of salt :

Martin O'Shea wrote:
...


The underlying principle here is that if multiple users use the same PC,

(with or without logging out/in ?)

and
maybe even the same session in a browser, a single cookie is used to store a
userid. Various system pages have a login facility and if invoked, the
cookie is rewritten with the current user's id. But this is where the Back
button issue occurs so it may be that session invalidation  solve my
problem.

I would tend to say that if multiple users use a PC, and they do not each login with their own user-id, then the basic behaviour which you explain is to be expected. These users share a single "user environment" on that PC, which includes the browser's history, cookies, and much more that that under Windows (think "recent documents", desktop etc..).

I am not sure that the issue then is at your application level or at the Tomcat 
level.
It is more at the general usage (and security) policies level.
Morality : don't do that.

If users do logout and login on that PC each with his own user-id, that issue would not exist, because Windows keeps a separate "user profile" for each of these users, so they would never share a cookie e.g.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to