Here is the complete setup. I've tried this on my side and it works.
// login.jsp
<html>
<body>
<form method="post" action="/servlet/VerifyLogin">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Submit"> <input type="reset" value=" Cancel ">
</form>
</body>
</html>
// VerifyLogin.java
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class VerifyLogin extends HttpServlet
{
private HttpSession session;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
doPost(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
String username = request.getParameter("username").toString();
String password = request.getParameter("pass").toString();
session = request.getSession();
session.setAttribute("Logged", new Boolean(true));
if(username.equals("Username") &&
password.equals("Password"))
{
response.sendRedirect("/secure.jsp");
}
else
{
response.sendRedirect("/login.jsp");
}
}
}
// secure.jsp
<%
if(session.isNew() | | session.getAttribute("Logged") == null)
{
response.sendRedirect("/login.jsp");
}
%>
<html>
<body>
<a href="logout.jsp">Logout</a>
</body>
</html>
// logout.jsp
<%
session.invalidate();
response.sendRedirect("/login.jsp");
%>
This SHOULD work. If this doesn't work and the user is still able to refresh the "secure.jsp" page after logging out, then I'm not sure what to tell ya.
[This message has been edited by Rehan Malik (edited July 13, 2001).]