Hello
I'm using Apache Tomcat 6.0.26 for an application where the majority of the
content is hidden behind a page requiring authenticated login. This appears
to work fine but upon logout, I find I am able to browse back through some
of the pages visited in the session.
As far as I'm aware, and in other applications I've seen and worked on, this
shouldn't happen.
I'm using a listener to detect sessions created and destroyed and this seems
to be fine because I'm recording events in the database when these happen.
My log out instruction is present on most pages as follows:
<a href = "/myApp/jsp/index/index.jsp?logoff=true" title = "Log out.">
And in the index.jsp cited above, I have code:
<%
// Log out.
if (request.getParameter("logoff") != null) {
session.invalidate();
response.sendRedirect("/myApp/");
return;
}
%>
Which returns a user to the login page.
The problem is only occasional and I can see no pattern to it, but it
happens under two different installations of version 6.0.26 on different
machines. So either this version is the cause which I don't believe because
other applications seems unaffected, or my application has an issue which I
can't find.
Any ideas?
Thanks
Martin O'Shea.
