Hi Lee,
Assuming that you're using some sort of User bean, I'll guess that your
servlet access code goes a little like this:
In other words, it depends on the user having a validated user bean and a current session.
When you invalidate the session on logout, a new session immediately takes its place, so the session portion is valid.
Contrary to what we might think, the user bean is still hanging around at this point, so on pasting a URL, the user can still get in after logging out.
The solution (hopefully) is rather simple, prior to invalidating the session, invalidate the user. (don't just shut the door, also take away their key)
[ September 12, 2005: Message edited by: Ray Stojonic ]