I have narrowed down the problem.
1. no-cache indeed works.
2. when click "Back" to the dynamically generated "user home", I got the
following from Netscape Communicator 4.5:
[Data Missing
This document resulted from a POST operation and has expired from the cache.
If you wish you can repost the form data to recreate the document by
pressing the reload button. ]
and the following from MS IE 4.x:
[Warning: Page has Expired The page you requested was created using
information you submitted in a form. This page is no longer available. As a
security precaution, Internet Explorer does not automatically resubmit your
information for you.
To resubmit your information and view this Web page, click the Refresh
button. ]
The mistery is: When I choose to "Reload" or "Refresh", the orginal
username/password data was POSTed to the servlet again.
WHERE DOES THE BROWSER GET THIS INFORMATION??????
Quit the browser gets rid of the info. I probably have to require the user
to exit the browser after they are done w/ my application. Any way to remove
the info from the browser without quitting the browser all together? Or this
info is cached on the Web server side? Any way to remove the history so one
can not "Back" to the previous "user home" page URL?
Guess what, I think I should send this one to Netscape Client List, but I am
sure other Servlet + JSP developers should have have met same challenge to
develop secure web-based apps.
thanks.
weibo (weber) yuan
> -----Original Message-----
> From: Weibo (Weber) Yuan
> Sent: Thursday, April 08, 1999 6:59 PM
> To: [EMAIL PROTECTED]
> Subject: Security: reload/refresh -> form data reposted
>
> Hello, there. I am developing a Servlet + JSP based Web application. The
> user start w/ the Login.html page. The username and password form data is
> posted to the "LoginServlet". If login successful, the "LoginServlet" put
> the user to a three-frame main page: top (nav bar), left (menu), and body
> (home). In all .html and .jsp files, I have the following in the <HEAD>
> ...
> </HEAD> block:
>
> <META HTTP-EQUIV="Expires" CONTENT="0">
> <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
> <META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
> <META HTTP-EQUIV="Cache-Control" CONTENT="no-store">
>
> When servlet generate the response, I set similar headers for the
> response.
>
> these are based on the previous dicussions on "cache" and "security" on
> the
> SERVLET-INTEREST and JSP-INTERST.
>
> When user click on "Logout", I invalidate the session, and put them back
> to
> the "Login.html".
>
> After a typical session like this, I look at the history of the browser
> (click on "Go" for Netscape Communicator 4.5 and "History" for MS IE4),
> and
> found that I was able to click the "Back" button to go the LoginServlet
> URL,
> and the display is:
>
> *****
> Data Missing
>
> This document resulted from a POST operation and has expired from the
> cache.
> If you wish you can repost the
> form data to recreate the document by pressing the reload button.
> *****
>
> This seems to suggest that the page is indeed expired. But when I click on
> reload, it puts me right back to the User Home, which seems to suggest
> that
> Form Data (which the user entered on Login.html) is still cached by the
> browser.
>
> BTW, the "Login.html" is also shown in history (at least for Netscape),
> but
> the user entered data is not there if I select the page or "Back" to the
> page. so that's no problem.
>
> I am doing this on server: Win NT 4.0 w/ SP 3, WebSphere Standard 2.0;
> client: Netscape Communicator 4.5 and MS IE4.
>
> I hope I have described the problem. Any help is appreciated!
>
> weibo (weber) yuan
>
> ==========================================================================
> =
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff JSP-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
