i am using <html:link /> tag in the top menu of my jsp page.
i am passing parameters to the tag using its "name" attribute after storing them in a HashMap.
The parameters in the map are retrieved from "session".These are actually Login parameters.
The problem is that even when i logout of the application and press the back button, although the session has been invalidated in my logout action class, these parameter values are still availaible to the html:link tag and i am able to browse through the application.
This is probably a problem associated with browser caching. Whenever a user presses the back button, the browser typically searches for the page in its cache, and only if it's not there does it refresh it from the server. Since the page in the browser cache has the link, it's still visible even if there is no session.
The only way around this I know of is to tell the browser not to cache the page and even when you do, some stubborn browsers cache it anyway.
If you put the following code in your jsp, it should fix this problem.
However, from a security standpoint, there are still some problems. What happens if the user bookmarks one of your pages? If all a user needs is a link to get in, it's not very secure. Normally each time a user makes a request to the web application, there should be a mechanism to verify that she is logged in. [ February 08, 2006: Message edited by: Merrill Higginson ]
It seems like a very bad idea to embed a userid and a password in a link. If you do a "view source" on the page I am pretty sure you will see the password right there in clear text.
I am not sure that storing the userid and password in session is a great idea either, but I it might be okay. Instead of reading these from session in your jsp and submitting them to your action, can't you read them out of the session in your action?