Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login problem

 
mishug Goyal
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ranchers!!

I am creating a login page in jsp where a user has to give authorised user name and password then only he can enter to home page.

Now the problem is that if a user successfully get login and enter to home page and then when then he clicks on browser's back button it again goes to login page and on that page if now this time user do not enter any username ,password and click on browser's forward button at that time also he is also able to land on home page. So question is that does there any way/method in jsp or servlet(other than doing it in java script) through which we can restrict user's home page landing in case of later one.

Thanks in advance !!
[ September 22, 2008: Message edited by: Bear Bibeault ]
 
Steve Luke
Bartender
Posts: 4181
22
IntelliJ IDE Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You will want to make sure of two things:

1) You have all the no-cache headers set for every page that should be behind a user login and on the login page so when they press back after a login the user can't see previous data.



2) When you Post the login form it should go to a Servlet that checks the username and password. After the check is successful then the Servlet should use a response.sendRedirect() to the successful login page. This will prevent the Back-Forward buttons from access to the form Post and thus from un-intended logins.

Sometimes I see it suggested that you should also put a token in the login form that the server can use to identify the request and make sure that this sort of thing doesn't happen even if the browser stores the username/password in a manner that the caching above won't fix.

In the form enter a unique value (random number/character sequence, date/time... ) and store it in the session.

Then on the login servlet:
 
mishug Goyal
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Steve,

i have tried with both the ways but problem still persist....
might be this is due to some specific seesion time duration set by the container...

what you says.....
 
Amit Ghorpade
Bartender
Posts: 2854
10
Fedora Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
might be this is due to some specific seesion time duration set by the container...

The session time is not set by the container. You can specify one in the deployment descriptor.
 
Steve Luke
Bartender
Posts: 4181
22
IntelliJ IDE Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by mishug Goyal:
Hi Steve,

i have tried with both the ways but problem still persist....
might be this is due to some specific seesion time duration set by the container...

what you says.....


How do you check if the user is logged in?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic