Hi, I have a webapp where a user can login and edit their profile, password, and view sales/financial history. I use the MVC pattern so the user views this information on jsp pages which are fed info from a servlet controller which interacts with a model. My question is, after I've logged in and viewed those jsp pages with the sensitive info on them and log out, I can still view that information is I type in the URL for any of those pages. How can I prevent this? When log out is performed I use session.invalidate(). I have the customer's info saved in the session using a userbean and salesbean. Would these beans not be removed when I use session.invalidate()?
I was thinking for those sensitive pages which are in jsp... should I check to see if there is an existing session, and if not, redirect off those pages? Would that be the best way?