You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Towns, Peter (ANTS)" <pe...@ants.co.uk> on 2002/02/28 18:58:37 UTC

Tomcat (4.0.2) expiring protected forms

Hi all,

I'd like to stop Tomcat (4.0.2) from expiring my forms and causing my
browser to spew out "Your webpage has expired, etc..." whenever a user
history.back()s to the form. Tomcat seems to be pretty keen to do this since
it's trying a whole bunch of headers to expire/no-cache my pages.

I've googled around it it's been suggested that this happens because I've
slapped a security-constraint across the whole site. So, Tomcat expires
every page in order that other users can't history.back() to any
(potentially sensitive) forms ..?

But is there so way to toggle this behaviour in Tomcat's config ..?
Obviously I'd rather not have to hack up any HttpServletResponses to achieve
this...

Any suggestions would be appreciated (& I apologise if I've missed something
obvious...),

Pete


***************************************************************************
This email message contains confidential information for the above addressee only.  If you are not the intended addressee you must not disclose or use the information in any manner whatsoever.

Any opinion or views contained in this email message are those of the sender, do not represent those of the Company in any way and reliance should not be placed upon its contents.

Unless otherwise stated this email message is not intended to be contractually binding.  Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail.

Abbey National Treasury Services plc. Registered in England. Registered Office:  Abbey House, Baker Street, London NW1 6XL.  Company Registration No: 2338548.  Regulated by the FSA
***************************************************************************


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Tomcat (4.0.2) expiring protected forms

Posted by Remy Maucherat <re...@apache.org>.
> Hi all,
>
> I'd like to stop Tomcat (4.0.2) from expiring my forms and causing my
> browser to spew out "Your webpage has expired, etc..." whenever a user
> history.back()s to the form. Tomcat seems to be pretty keen to do this
since
> it's trying a whole bunch of headers to expire/no-cache my pages.
>
> I've googled around it it's been suggested that this happens because I've
> slapped a security-constraint across the whole site. So, Tomcat expires
> every page in order that other users can't history.back() to any
> (potentially sensitive) forms ..?

It does that to avoid caching by intermediate proxies (using back is not the
problem we're trying to fix here).

> But is there so way to toggle this behaviour in Tomcat's config ..?

Not at the moment.

> Obviously I'd rather not have to hack up any HttpServletResponses to
achieve
> this...
>
> Any suggestions would be appreciated (& I apologise if I've missed
something
> obvious...),

Remy


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>