You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Paul Phillips <pa...@partitura.com> on 2002/07/09 17:40:13 UTC

j_security_check and logout

Hello, all --

I have a small application consisting of servlets and jsp pages.  I use 
form based authentication via j_security_check to login.

I have a strange problem know how to solve.

I have implemented a simple logout procedure whereby the logout servlet 
invalidates the session, and then transfers to a final thanks.jsp page that 
just says "thanks..".   So far, so good.  However, I wanted to try and do 
something about the back button issue, so, on the main.jsp page that calls 
the logout, I wrote this bit of javascript:

<a href="greeting?event=LOGOUT" 
onclick="javascript:window.location.replace(this.href); 
event.returnValue=false; ">logout</a>

Ok, this seems to work fine.  After logout, if the user is sitting on the 
thanks.jsp page, and presses the back button, it skips back to the initial 
login.jsp page (ignoring the main.jsp page that used to be in between.

Good..

However!  If I try and use the login.jsp page at that point, I get this 
error from tomcat:

Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form 
login page

So, it seems at that point that the login page doesn't know where I want to 
go, and bombs.  The place where I do want to go is greeting?event=WELCOME, 
but j_security_check has no way of knowing that, because it didn't come in 
throught the URL.  Since we came back to login.jsp via the back button, it 
isn't there.

Any ideas on how to solve this?

Thanks
Paul Phillips

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: j_security_check and logout

Posted by Paul Phillips <pa...@partitura.com>.

As Craig wrote below:

> You should never reference the URL of the login page directly.  Instead,
> if you want to make them log back in, you should simply redirect them to
> some page within the protected area (perhaps the main menu).  The usual
> login dialog will happen.

I am not referencing the URL of the login page directly.  (At least I'm 
trying not to! :))
That is the problem.  The direct reference is a byproduct of the user 
pressing the back button when the "regular" intervening pages have been 
erased from history using javascript.

I still can't figure out a way around this...

Any ideas are appreciated...

Paul Phillips

--On Tuesday, July 9, 2002 10:50 AM -0700 "Craig R. McClanahan" 
<cr...@apache.org> wrote:

>
>
> On Tue, 9 Jul 2002, Paul Phillips wrote:
>
>> Date: Tue, 09 Jul 2002 10:40:13 -0500
>> From: Paul Phillips <pa...@partitura.com>
>> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
>> To: Tomcat Users List <to...@jakarta.apache.org>
>> Subject: j_security_check and logout
>>
>> Hello, all --
>>
>> I have a small application consisting of servlets and jsp pages.  I use
>> form based authentication via j_security_check to login.
>>
>> I have a strange problem know how to solve.
>>
>> I have implemented a simple logout procedure whereby the logout servlet
>> invalidates the session, and then transfers to a final thanks.jsp page
>> that just says "thanks..".   So far, so good.  However, I wanted to try
>> and do something about the back button issue, so, on the main.jsp page
>> that calls the logout, I wrote this bit of javascript:
>>
>> <a href="greeting?event=LOGOUT"
>> onclick="javascript:window.location.replace(this.href);
>> event.returnValue=false; ">logout</a>
>>
>> Ok, this seems to work fine.  After logout, if the user is sitting on the
>> thanks.jsp page, and presses the back button, it skips back to the
>> initial login.jsp page (ignoring the main.jsp page that used to be in
>> between.
>>
>> Good..
>>
>> However!  If I try and use the login.jsp page at that point, I get this
>> error from tomcat:
>>
>> Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form
>> login page
>>
>> So, it seems at that point that the login page doesn't know where I want
>> to go, and bombs.  The place where I do want to go is
>> greeting?event=WELCOME, but j_security_check has no way of knowing that,
>> because it didn't come in throught the URL.  Since we came back to
>> login.jsp via the back button, it isn't there.
>>
>> Any ideas on how to solve this?
>>
>
> You should never reference the URL of the login page directly.  Instead,
> if you want to make them log back in, you should simply redirect them to
> some page within the protected area (perhaps the main menu).  The usual
> login dialog will happen.
>
>
>> Thanks
>> Paul Phillips
>>
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: j_security_check and logout

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Tue, 9 Jul 2002, Paul Phillips wrote:

> Date: Tue, 09 Jul 2002 10:40:13 -0500
> From: Paul Phillips <pa...@partitura.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: j_security_check and logout
>
> Hello, all --
>
> I have a small application consisting of servlets and jsp pages.  I use
> form based authentication via j_security_check to login.
>
> I have a strange problem know how to solve.
>
> I have implemented a simple logout procedure whereby the logout servlet
> invalidates the session, and then transfers to a final thanks.jsp page that
> just says "thanks..".   So far, so good.  However, I wanted to try and do
> something about the back button issue, so, on the main.jsp page that calls
> the logout, I wrote this bit of javascript:
>
> <a href="greeting?event=LOGOUT"
> onclick="javascript:window.location.replace(this.href);
> event.returnValue=false; ">logout</a>
>
> Ok, this seems to work fine.  After logout, if the user is sitting on the
> thanks.jsp page, and presses the back button, it skips back to the initial
> login.jsp page (ignoring the main.jsp page that used to be in between.
>
> Good..
>
> However!  If I try and use the login.jsp page at that point, I get this
> error from tomcat:
>
> Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form
> login page
>
> So, it seems at that point that the login page doesn't know where I want to
> go, and bombs.  The place where I do want to go is greeting?event=WELCOME,
> but j_security_check has no way of knowing that, because it didn't come in
> throught the URL.  Since we came back to login.jsp via the back button, it
> isn't there.
>
> Any ideas on how to solve this?
>

You should never reference the URL of the login page directly.  Instead,
if you want to make them log back in, you should simply redirect them to
some page within the protected area (perhaps the main menu).  The usual
login dialog will happen.


> Thanks
> Paul Phillips
>

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>