Bear Bibeault wrote:If you are new to all this, you should probably not be building your own security system.
In fact, unless you are professionally-trained in security details and your sole involvement in the project is the security, you should not be building your own security system.
J2EE/JEE comes with its own professionally-designed, extensively-tested well-documented login and role-based container security system. It can stop attackers before the webapp is even visible to the attacking request.
In contrast, about 95% of all the Do-It-Yourself security systems are nothing more than damp tissue paper and can more often than not be easily defeated by non-technical people in under 15 minutes. Hang around the Ranch for long, and you'll hear me sing that song again. And again. And again. Because it's based on many years of experience. Some of the flimsiest DIY login systems were used in critical things like banking and finance and often some local "genius" designed it and mandated it for corporate use.
As for the "Back" button, Alt-LeftArrow,
etc. forget it. You don't own those controls, the client does. There's nothing in the HTTP standard that supports meddling with the proper operation of the "back" function.
A quality security system such as the
J2EE standard one won't care if they hit "Back", because the session will have been logged out and any attempt to reload a secured URL will simply bounce the user to the login screen.