Greg Charles wrote: It does seem to me that if a user simply bookmarked the welcome page and went directly there, he/she would bypass the login process entirely.
Chúc may mắn!
My estimate over the years is that probably 95% of all the "do it yourself" login/security systems written for Java can be cracked in under 2 hours, often by non-technical people, and that this particular weakness is the #1 cause why.
The worst thing in the world that a company can do is tell their application programmer "Write this system. And while you're at it, make it secure". Well, except for when they add "By Thursday" to the requirements.
The SECOND worst thing in the world that a company can do security-wise is have some "genius" dream up a security system and make that the Corporate Standard.
Unless you are a full-time trained security professional, you have no business writing your own security code, especially when security systems already exist that
were designed, written, tested and fully documented by full-time security professionals.
Security is not some sort of "All You Have To Do" thing. It's a delicate chain and only a single link needs to break in order to let the barbarian hordes in to plunder. Don't bother to backup databases. Hire cheap labor that doesn't know how to make code crash-resistent. Skimp on infrastructure and documentation.
But if you don't do security right, your critical corporate assets will be spirited away faster than you can say "Ashley Madison".