You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Cuneyt Karul <cu...@eojs.com> on 2002/09/30 07:39:03 UTC

Security bug in the sample application?

Hi,

I was playing with the sample application that comes with struts and I noticed a strange behavior. I just wanted to check out if this is expected, and if so what is the best way to solve this problem.

When I log on with a valid user the application takes me to the page:
http://localhost:8080/struts-example/logon.do

Here I choose the Log off MailReader Demonstration Application link which logs me off from the application.

Then I use BACK button of my browser to go to the logon.do page and reload this page.
I expect the application to send me back to the logon page (and it does so for all the other pages).

On the browser I get a message like "this page can not be refreshed without resending the information".
I hit retry and volla I'm logged back to the application without even being prompted for username and password.

I modified the code to trace this in server logs and noticed that both username and the password are actually kept in the memory and sent back to the server.

Is there a nice way to prevent this behavior?

Thanks

Cuneyt Karul