aspose file tools*
The moose likes Servlets and the fly likes Login problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Login problem" Watch "Login problem" New topic
Author

Login problem

mishug Goyal
Ranch Hand

Joined: Aug 19, 2008
Posts: 57
Hi Ranchers!!

I am creating a login page in jsp where a user has to give authorised user name and password then only he can enter to home page.

Now the problem is that if a user successfully get login and enter to home page and then when then he clicks on browser's back button it again goes to login page and on that page if now this time user do not enter any username ,password and click on browser's forward button at that time also he is also able to land on home page. So question is that does there any way/method in jsp or servlet(other than doing it in java script) through which we can restrict user's home page landing in case of later one.

Thanks in advance !!
[ September 22, 2008: Message edited by: Bear Bibeault ]

SCJP 1.5, SCDJWS 5
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

You will want to make sure of two things:

1) You have all the no-cache headers set for every page that should be behind a user login and on the login page so when they press back after a login the user can't see previous data.



2) When you Post the login form it should go to a Servlet that checks the username and password. After the check is successful then the Servlet should use a response.sendRedirect() to the successful login page. This will prevent the Back-Forward buttons from access to the form Post and thus from un-intended logins.

Sometimes I see it suggested that you should also put a token in the login form that the server can use to identify the request and make sure that this sort of thing doesn't happen even if the browser stores the username/password in a manner that the caching above won't fix.

In the form enter a unique value (random number/character sequence, date/time... ) and store it in the session.

Then on the login servlet:


Steve
mishug Goyal
Ranch Hand

Joined: Aug 19, 2008
Posts: 57
Hi Steve,

i have tried with both the ways but problem still persist....
might be this is due to some specific seesion time duration set by the container...

what you says.....
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2716
    
    6

might be this is due to some specific seesion time duration set by the container...

The session time is not set by the container. You can specify one in the deployment descriptor.


SCJP, SCWCD.
|Asking Good Questions|
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

Originally posted by mishug Goyal:
Hi Steve,

i have tried with both the ways but problem still persist....
might be this is due to some specific seesion time duration set by the container...

what you says.....


How do you check if the user is logged in?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login problem