• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

problem using html:link

 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi

i am using <html:link /> tag in the top menu of my jsp page.

i am passing parameters to the tag using its "name" attribute after storing them in a HashMap.

The parameters in the map are retrieved from "session".These are actually Login parameters.

The problem is that even when i logout of the application and press the back button, although the session has been invalidated in my logout action class, these parameter values are still availaible to the html:link tag and i am able to browse through the application.

Please help. below i am copying the code



<%@ taglib uri="/WEB-INF/struts-logic.tld" prefix="logic" %>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>

<%@ page import="java.io.*,java.util.*"%>



<%

if(((String)request.getSession().getAttribute("userid"))!= null){


String userid =(String)request.getSession().getAttribute("userid");

String password =(String)request.getSession().getAttribute("password");


Map paramMap = new HashMap();
paramMap.put("loginStatus", "USER");
paramMap.put("userid", userid);
paramMap.put("password", password);
request.setAttribute("linkParams", paramMap);

}

%>

<table align="right">
<tr bgcolor="#66CCFF">
<td ><html:link action="Logout" styleClass="text"><b>Logout </html:link></td>

<td ><html:link action="Login" name="linkParams" styleClass="text" ><b>Enter As User </html:link></td>

</tr>
</table>

After loogging out and going back to this jsp thru the browser back button and press the link "Enter As user", i am able to browse the application.

Can this be corrected

thanx
Sameer
 
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is probably a problem associated with browser caching. Whenever a user presses the back button, the browser typically searches for the page in its cache, and only if it's not there does it refresh it from the server. Since the page in the browser cache has the link, it's still visible even if there is no session.

The only way around this I know of is to tell the browser not to cache the page and even when you do, some stubborn browsers cache it anyway.

If you put the following code in your jsp, it should fix this problem.



However, from a security standpoint, there are still some problems. What happens if the user bookmarks one of your pages? If all a user needs is a link to get in, it's not very secure. Normally each time a user makes a request to the web application, there should be a mechanism to verify that she is logged in.
[ February 08, 2006: Message edited by: Merrill Higginson ]
 
sameer kumar
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hello Merrill,

This code has not solved the problem. You are right that the browsers are stubborn. Is there any other way i can get around this problem?
 
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It seems like a very bad idea to embed a userid and a password in a link. If you do a "view source" on the page I am pretty sure you will see the password right there in clear text.

I am not sure that storing the userid and password in session is a great idea either, but I it might be okay. Instead of reading these from session in your jsp and submitting them to your action, can't you read them out of the session in your action?

- Brent
 
sameer kumar
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks brent.

Now i am doing it in action and its working fine.
 
reply
    Bookmark Topic Watch Topic
  • New Topic