Hi, I have a login page that lets a user enter his/her username and password. If valid it takes them to a page where they can administer a table in their database using form fields. My question is, if another user comes along after somebody has been logged in,and presses the back button or forward button on the browser and gets passed the login page to see the administraion page , how can I stop this. Could anyone tell me how I can stop this from happening. I'd like to use sessions but i'm not sure on how to go about it. Thanks Rui
Make the admin page and every action on the admin page check to see if the session is valid and active. If it isn't redirect to a login or not authorized page. Then encourage people to logout and set a reasonable timeout for the sessions. If someone leave a valid session and another person comes on the machine, there isn't much you can do. Its like I signed onto my account and then left it there for you. Maybe when the new retinalscan/fingerprint API comes out.
Joined: May 06, 2001
Hi, Thanks for the help. I got it working. I'm not sure what the session time out is. I haven't set it yet. What is the default session time out? And how do you set it? Thanks again rui
Joined: Jan 19, 2001
there is a default timeout that is set in the server configuration or you can set it with a session method, can't remember what it is exactly of the top of my head. something like session.setMaxInterval() Shouldn't be too hard to find.
There is another way to configure the session timeout through web.xml. But the final word is from session.setInactiveIntervel(int t) API inside your servlet code. In other words, if you set BOTH in web.xml and inside your servlet code using above API, only the API's value is taken into account. Please check this discussion on how to configure through web.xml http://www.javaranch.com/ubb/Forum7/HTML/003140.html regds maha anna
[This message has been edited by maha anna (edited May 11, 2001).]