I am creating a login page in jsp where a user has to give authorised user name and password then only he can enter to home page.
Now the problem is that if a user successfully get login and enter to home page and then when then he clicks on browser's back button it again goes to login page and on that page if now this time user do not enter any username ,password and click on browser's forward button at that time also he is also able to land on home page. So question is that does there any way/method in jsp or servlet(other than doing it in java script) through which we can restrict user's home page landing in case of later one.
Thanks in advance !! [ September 22, 2008: Message edited by: Bear Bibeault ]
1) You have all the no-cache headers set for every page that should be behind a user login and on the login page so when they press back after a login the user can't see previous data.
2) When you Post the login form it should go to a Servlet that checks the username and password. After the check is successful then the Servlet should use a response.sendRedirect() to the successful login page. This will prevent the Back-Forward buttons from access to the form Post and thus from un-intended logins.
Sometimes I see it suggested that you should also put a token in the login form that the server can use to identify the request and make sure that this sort of thing doesn't happen even if the browser stores the username/password in a manner that the caching above won't fix.
In the form enter a unique value (random number/character sequence, date/time... ) and store it in the session.