You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Paul Phillips <pa...@partitura.com> on 2002/07/09 17:40:13 UTC
j_security_check and logout
Hello, all --
I have a small application consisting of servlets and jsp pages. I use
form based authentication via j_security_check to login.
I have a strange problem know how to solve.
I have implemented a simple logout procedure whereby the logout servlet
invalidates the session, and then transfers to a final thanks.jsp page that
just says "thanks..". So far, so good. However, I wanted to try and do
something about the back button issue, so, on the main.jsp page that calls
the logout, I wrote this bit of javascript:
<a href="greeting?event=LOGOUT"
onclick="javascript:window.location.replace(this.href);
event.returnValue=false; ">logout</a>
Ok, this seems to work fine. After logout, if the user is sitting on the
thanks.jsp page, and presses the back button, it skips back to the initial
login.jsp page (ignoring the main.jsp page that used to be in between.
Good..
However! If I try and use the login.jsp page at that point, I get this
error from tomcat:
Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form
login page
So, it seems at that point that the login page doesn't know where I want to
go, and bombs. The place where I do want to go is greeting?event=WELCOME,
but j_security_check has no way of knowing that, because it didn't come in
throught the URL. Since we came back to login.jsp via the back button, it
isn't there.
Any ideas on how to solve this?
Thanks
Paul Phillips
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: j_security_check and logout
Posted by Paul Phillips <pa...@partitura.com>.
As Craig wrote below:
> You should never reference the URL of the login page directly. Instead,
> if you want to make them log back in, you should simply redirect them to
> some page within the protected area (perhaps the main menu). The usual
> login dialog will happen.
I am not referencing the URL of the login page directly. (At least I'm
trying not to! :))
That is the problem. The direct reference is a byproduct of the user
pressing the back button when the "regular" intervening pages have been
erased from history using javascript.
I still can't figure out a way around this...
Any ideas are appreciated...
Paul Phillips
--On Tuesday, July 9, 2002 10:50 AM -0700 "Craig R. McClanahan"
<cr...@apache.org> wrote:
>
>
> On Tue, 9 Jul 2002, Paul Phillips wrote:
>
>> Date: Tue, 09 Jul 2002 10:40:13 -0500
>> From: Paul Phillips <pa...@partitura.com>
>> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
>> To: Tomcat Users List <to...@jakarta.apache.org>
>> Subject: j_security_check and logout
>>
>> Hello, all --
>>
>> I have a small application consisting of servlets and jsp pages. I use
>> form based authentication via j_security_check to login.
>>
>> I have a strange problem know how to solve.
>>
>> I have implemented a simple logout procedure whereby the logout servlet
>> invalidates the session, and then transfers to a final thanks.jsp page
>> that just says "thanks..". So far, so good. However, I wanted to try
>> and do something about the back button issue, so, on the main.jsp page
>> that calls the logout, I wrote this bit of javascript:
>>
>> <a href="greeting?event=LOGOUT"
>> onclick="javascript:window.location.replace(this.href);
>> event.returnValue=false; ">logout</a>
>>
>> Ok, this seems to work fine. After logout, if the user is sitting on the
>> thanks.jsp page, and presses the back button, it skips back to the
>> initial login.jsp page (ignoring the main.jsp page that used to be in
>> between.
>>
>> Good..
>>
>> However! If I try and use the login.jsp page at that point, I get this
>> error from tomcat:
>>
>> Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form
>> login page
>>
>> So, it seems at that point that the login page doesn't know where I want
>> to go, and bombs. The place where I do want to go is
>> greeting?event=WELCOME, but j_security_check has no way of knowing that,
>> because it didn't come in throught the URL. Since we came back to
>> login.jsp via the back button, it isn't there.
>>
>> Any ideas on how to solve this?
>>
>
> You should never reference the URL of the login page directly. Instead,
> if you want to make them log back in, you should simply redirect them to
> some page within the protected area (perhaps the main menu). The usual
> login dialog will happen.
>
>
>> Thanks
>> Paul Phillips
>>
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: j_security_check and logout
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 9 Jul 2002, Paul Phillips wrote:
> Date: Tue, 09 Jul 2002 10:40:13 -0500
> From: Paul Phillips <pa...@partitura.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: j_security_check and logout
>
> Hello, all --
>
> I have a small application consisting of servlets and jsp pages. I use
> form based authentication via j_security_check to login.
>
> I have a strange problem know how to solve.
>
> I have implemented a simple logout procedure whereby the logout servlet
> invalidates the session, and then transfers to a final thanks.jsp page that
> just says "thanks..". So far, so good. However, I wanted to try and do
> something about the back button issue, so, on the main.jsp page that calls
> the logout, I wrote this bit of javascript:
>
> <a href="greeting?event=LOGOUT"
> onclick="javascript:window.location.replace(this.href);
> event.returnValue=false; ">logout</a>
>
> Ok, this seems to work fine. After logout, if the user is sitting on the
> thanks.jsp page, and presses the back button, it skips back to the initial
> login.jsp page (ignoring the main.jsp page that used to be in between.
>
> Good..
>
> However! If I try and use the login.jsp page at that point, I get this
> error from tomcat:
>
> Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form
> login page
>
> So, it seems at that point that the login page doesn't know where I want to
> go, and bombs. The place where I do want to go is greeting?event=WELCOME,
> but j_security_check has no way of knowing that, because it didn't come in
> throught the URL. Since we came back to login.jsp via the back button, it
> isn't there.
>
> Any ideas on how to solve this?
>
You should never reference the URL of the login page directly. Instead,
if you want to make them log back in, you should simply redirect them to
some page within the protected area (perhaps the main menu). The usual
login dialog will happen.
> Thanks
> Paul Phillips
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>