logout problem when using back button

From: humberto rios <humberto.rios_at_byu.edu>
Date: 23 Jun 2003 08:26:41 -0700
Message-ID: <a7885d05.0306230726.7ed48914_at_posting.google.com>

Problem:
I am writing a authentication login/logout application using JDev and BC4J. It works fine but if I logout and then use the back browser to go back the login action gets called again and logges the user again. It should not remember which user it is. I try using javascript to disallow the back button but it only works one pack back. I have tried invalidading the session like:
request.getSession().invalidate(). I also remove the form after the login action so it would not remember the name and password:

// Remove the obsolete form bean
if (mapping.getAttribute() != null) {

      if ("request".equals(mapping.getScope())) {
       System.out.println("Removing form from request so not carry
forward");
                request.removeAttribute(mapping.getAttribute());
        }                
      else {
        System.out.println("Removing form from session so not carry
forward");
                HttpSession session = request.getSession();
                session.removeAttribute(mapping.getAttribute());
      }

}

I have also use the request.getSession(false).removeAttribute(LOGIN), false instead of true
None has made a difference. I took a look at several BC4J examples on the web and they all have the same problem.

Header page included in each jsp to check if user loggedin or not to provide icons to login or logout.

<logic:present name="UserLoggedIn" scope="session">

   <a href="signout.do" onmouseover="img_on('signout')"
onmouseout="img_off
('signout')"><img alt="<bean:message key='logout.title'/>"

src="<bean:message key='images.toolbar.signout'/>" border="0" name="img_signout"></a>
</logic:present>

      <logic:notPresent name="UserLoggedIn" scope="session">
        <a href="login.do" onmouseover="img_on('signin')"

onmouseout="img_off('signin')"><img alt="<bean:message key='login.title'/>" src="<bean:message key='images.toolbar.signin'/>" border="0" name="img_signin"></a>

</logic:notPresent>

The signout action calls another class in to remove user variable from session:

private static final String LOGIN = "UserLoggedIn"; ...
public static void signOut(HttpServletRequest request) { request.getSession(true).removeAttribute(LOGIN);

The login action puts user name into session: public static void signIn(HttpServletRequest request, String username) {

request.getSession(true).setAttribute(LOGIN,username);

the following are the actions on struts-config.xml

<action path="/login"
type="edu.byu.ce.orion.registration.controller.actions.LoginAction"

            input="/yp.jsp"
            validate="true" 
            name="LoginForm" 
            scope="request">
      <forward name="success" path="/welcome.jsp" />

</action>

<action path="/signout"
type="edu.byu.ce.orion.registration.controller.actions.SignOutAction">

      <!--<set-property property="application" value="ToyStore"/>-->
      <!--<set-property property="releasemode" value="Stateful"/>-->
      <forward name="success" path="goodbye.jsp"/>

</action> Received on Mon Jun 23 2003 - 17:26:41 CEST

This message: [ Message body ]
Next message: Gerard H. Pille: "Re: Help for Reports60 Server in Linux"
Previous message: Torsten Flammiger: "Re: dbastudio crashes upon login"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message