File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Struts and the fly likes problem using html:link Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "problem using html:link" Watch "problem using html:link" New topic

problem using html:link

sameer kumar

Joined: Jan 06, 2006
Posts: 17

i am using <html:link /> tag in the top menu of my jsp page.

i am passing parameters to the tag using its "name" attribute after storing them in a HashMap.

The parameters in the map are retrieved from "session".These are actually Login parameters.

The problem is that even when i logout of the application and press the back button, although the session has been invalidated in my logout action class, these parameter values are still availaible to the html:link tag and i am able to browse through the application.

Please help. below i am copying the code

<%@ taglib uri="/WEB-INF/struts-logic.tld" prefix="logic" %>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>

<%@ page import="*,java.util.*"%>


if(((String)request.getSession().getAttribute("userid"))!= null){

String userid =(String)request.getSession().getAttribute("userid");

String password =(String)request.getSession().getAttribute("password");

Map paramMap = new HashMap();
paramMap.put("loginStatus", "USER");
paramMap.put("userid", userid);
paramMap.put("password", password);
request.setAttribute("linkParams", paramMap);



<table align="right">
<tr bgcolor="#66CCFF">
<td ><html:link action="Logout" styleClass="text"><b>Logout </html:link></td>

<td ><html:link action="Login" name="linkParams" styleClass="text" ><b>Enter As User </html:link></td>


After loogging out and going back to this jsp thru the browser back button and press the link "Enter As user", i am able to browse the application.

Can this be corrected

Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
This is probably a problem associated with browser caching. Whenever a user presses the back button, the browser typically searches for the page in its cache, and only if it's not there does it refresh it from the server. Since the page in the browser cache has the link, it's still visible even if there is no session.

The only way around this I know of is to tell the browser not to cache the page and even when you do, some stubborn browsers cache it anyway.

If you put the following code in your jsp, it should fix this problem.

However, from a security standpoint, there are still some problems. What happens if the user bookmarks one of your pages? If all a user needs is a link to get in, it's not very secure. Normally each time a user makes a request to the web application, there should be a mechanism to verify that she is logged in.
[ February 08, 2006: Message edited by: Merrill Higginson ]

Consultant, Sima Solutions
sameer kumar

Joined: Jan 06, 2006
Posts: 17
hello Merrill,

This code has not solved the problem. You are right that the browsers are stubborn. Is there any other way i can get around this problem?
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
It seems like a very bad idea to embed a userid and a password in a link. If you do a "view source" on the page I am pretty sure you will see the password right there in clear text.

I am not sure that storing the userid and password in session is a great idea either, but I it might be okay. Instead of reading these from session in your jsp and submitting them to your action, can't you read them out of the session in your action?

- Brent
sameer kumar

Joined: Jan 06, 2006
Posts: 17
thanks brent.

Now i am doing it in action and its working fine.
I agree. Here's the link:
subject: problem using html:link
It's not a secret anymore!