You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Enke Michael <Mi...@wincor-nixdorf.com> on 2001/08/16 12:46:14 UTC
session-invalidator and back-button?
Hi,
I tryed the web-application demo from cocoon2
where a login and logout can be performed.
But after logout if I press the back button of my browser
I get back into protected area without authorization.
How can this be avoided?
Michael
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Re: session-invalidator and back-button?
Posted by Adrian Geissel <ag...@zenark.com>.
The solution presented is not a Cocoon specific solution, but rather
addressess the issue of the client-side browser keeping a history.
In a past life, we coded an application to do this using JavaScript that the
browser used to spawn the protected window. All pages accessed and presented
within the window are basically unchanged, therefore only requiring
JavaScript on the Login and Logout pages.
This is not an elegant solution, but it can work once you cater for the
major browsers (script variances).
Cheers
Adrian
----- Original Message -----
From: Enke Michael <Mi...@wincor-nixdorf.com>
To: <co...@xml.apache.org>
Sent: Thursday, August 16, 2001 1:53 PM
Subject: Re: session-invalidator and back-button?
> But if I use e-mail or banking over internet,
> it is not possible to get the last page back.
> And there is no extra window, the back button is selectable.
> The server answers that an error occured or that
> I have to login again.
>
> Is there a way in cocoon other than spawning another browser window?
>
> Michael
>
> Adrian Geissel wrote:
> >
> > Hi Michael,
> >
> > I believe that the only way to solve such an issue is to 'run' the
protected
> > portion of your website in a spawned browser window, and then when the
user
> > log's out, to close that window. This will ensure that the Back history,
> > which is local to a browser window, cannot be access with permission.
> >
> > Hope that this helps,
> > Adrian
> >
> > ----- Original Message -----
> > From: Enke Michael <Mi...@wincor-nixdorf.com>
> > To: <co...@xml.apache.org>
> > Sent: Thursday, August 16, 2001 11:46 AM
> > Subject: session-invalidator and back-button?
> >
> > > Hi,
> > > I tryed the web-application demo from cocoon2
> > > where a login and logout can be performed.
> > > But after logout if I press the back button of my browser
> > > I get back into protected area without authorization.
> > > How can this be avoided?
> > >
> > > Michael
> > >
> > > ---------------------------------------------------------------------
> > > Please check that your question has not already been answered in the
> > > FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
> > >
> > > To unsubscribe, e-mail: <co...@xml.apache.org>
> > > For additional commands, e-mail: <co...@xml.apache.org>
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > Please check that your question has not already been answered in the
> > FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
> >
> > To unsubscribe, e-mail: <co...@xml.apache.org>
> > For additional commands, e-mail: <co...@xml.apache.org>
>
> ---------------------------------------------------------------------
> Please check that your question has not already been answered in the
> FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
>
> To unsubscribe, e-mail: <co...@xml.apache.org>
> For additional commands, e-mail: <co...@xml.apache.org>
>
>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Re: session-invalidator and back-button?
Posted by Adrian Geissel <ag...@zenark.com>.
Hi,
I should have mentioned in my last reply that it is still the responsibility
of your application to ensure that sensitive content is protected - using
session parameters, or whatever. The solution I presented is for the
client-side issue.
Cheers
Adrian
----- Original Message -----
From: Enke Michael <Mi...@wincor-nixdorf.com>
To: <co...@xml.apache.org>
Sent: Thursday, August 16, 2001 1:53 PM
Subject: Re: session-invalidator and back-button?
> But if I use e-mail or banking over internet,
> it is not possible to get the last page back.
> And there is no extra window, the back button is selectable.
> The server answers that an error occured or that
> I have to login again.
>
> Is there a way in cocoon other than spawning another browser window?
>
> Michael
>
> Adrian Geissel wrote:
> >
> > Hi Michael,
> >
> > I believe that the only way to solve such an issue is to 'run' the
protected
> > portion of your website in a spawned browser window, and then when the
user
> > log's out, to close that window. This will ensure that the Back history,
> > which is local to a browser window, cannot be access with permission.
> >
> > Hope that this helps,
> > Adrian
> >
> > ----- Original Message -----
> > From: Enke Michael <Mi...@wincor-nixdorf.com>
> > To: <co...@xml.apache.org>
> > Sent: Thursday, August 16, 2001 11:46 AM
> > Subject: session-invalidator and back-button?
> >
> > > Hi,
> > > I tryed the web-application demo from cocoon2
> > > where a login and logout can be performed.
> > > But after logout if I press the back button of my browser
> > > I get back into protected area without authorization.
> > > How can this be avoided?
> > >
> > > Michael
> > >
> > > ---------------------------------------------------------------------
> > > Please check that your question has not already been answered in the
> > > FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
> > >
> > > To unsubscribe, e-mail: <co...@xml.apache.org>
> > > For additional commands, e-mail: <co...@xml.apache.org>
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > Please check that your question has not already been answered in the
> > FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
> >
> > To unsubscribe, e-mail: <co...@xml.apache.org>
> > For additional commands, e-mail: <co...@xml.apache.org>
>
> ---------------------------------------------------------------------
> Please check that your question has not already been answered in the
> FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
>
> To unsubscribe, e-mail: <co...@xml.apache.org>
> For additional commands, e-mail: <co...@xml.apache.org>
>
>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Re: session-invalidator and back-button?
Posted by Enke Michael <Mi...@wincor-nixdorf.com>.
But if I use e-mail or banking over internet,
it is not possible to get the last page back.
And there is no extra window, the back button is selectable.
The server answers that an error occured or that
I have to login again.
Is there a way in cocoon other than spawning another browser window?
Michael
Adrian Geissel wrote:
>
> Hi Michael,
>
> I believe that the only way to solve such an issue is to 'run' the protected
> portion of your website in a spawned browser window, and then when the user
> log's out, to close that window. This will ensure that the Back history,
> which is local to a browser window, cannot be access with permission.
>
> Hope that this helps,
> Adrian
>
> ----- Original Message -----
> From: Enke Michael <Mi...@wincor-nixdorf.com>
> To: <co...@xml.apache.org>
> Sent: Thursday, August 16, 2001 11:46 AM
> Subject: session-invalidator and back-button?
>
> > Hi,
> > I tryed the web-application demo from cocoon2
> > where a login and logout can be performed.
> > But after logout if I press the back button of my browser
> > I get back into protected area without authorization.
> > How can this be avoided?
> >
> > Michael
> >
> > ---------------------------------------------------------------------
> > Please check that your question has not already been answered in the
> > FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
> >
> > To unsubscribe, e-mail: <co...@xml.apache.org>
> > For additional commands, e-mail: <co...@xml.apache.org>
> >
> >
>
> ---------------------------------------------------------------------
> Please check that your question has not already been answered in the
> FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
>
> To unsubscribe, e-mail: <co...@xml.apache.org>
> For additional commands, e-mail: <co...@xml.apache.org>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Re: session-invalidator and back-button?
Posted by Adrian Geissel <ag...@zenark.com>.
Hi Michael,
I believe that the only way to solve such an issue is to 'run' the protected
portion of your website in a spawned browser window, and then when the user
log's out, to close that window. This will ensure that the Back history,
which is local to a browser window, cannot be access with permission.
Hope that this helps,
Adrian
----- Original Message -----
From: Enke Michael <Mi...@wincor-nixdorf.com>
To: <co...@xml.apache.org>
Sent: Thursday, August 16, 2001 11:46 AM
Subject: session-invalidator and back-button?
> Hi,
> I tryed the web-application demo from cocoon2
> where a login and logout can be performed.
> But after logout if I press the back button of my browser
> I get back into protected area without authorization.
> How can this be avoided?
>
> Michael
>
> ---------------------------------------------------------------------
> Please check that your question has not already been answered in the
> FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
>
> To unsubscribe, e-mail: <co...@xml.apache.org>
> For additional commands, e-mail: <co...@xml.apache.org>
>
>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
AW: session-invalidator and back-button?
Posted by Jorn Heid <he...@fh-heilbronn.de>.
I think it could be archived by setting the expiration-date in the
http-header.
There are some meta-tags you can set in the html.
-----Ursprungliche Nachricht-----
Von: Enke Michael [mailto:Michael.Enke@wincor-nixdorf.com]
Gesendet: Donnerstag, 16. August 2001 12:46
An: cocoon-users@xml.apache.org
Betreff: session-invalidator and back-button?
Hi,
I tryed the web-application demo from cocoon2
where a login and logout can be performed.
But after logout if I press the back button of my browser
I get back into protected area without authorization.
How can this be avoided?
Michael
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>