>>> Punam Chordia <[EMAIL PROTECTED]> 03-Feb-00 3:09:09 AM >>>
>Suppose, a higher priority user performs the following steps:
>* logs in
>* performs some task
>* logs out.
>When he logs out, i will invalidate the session.
>Now IN THE SAME BROWSER WINDOW, another user logs in,
>who is of lesser priority that the previous user.
> He can use the back button of the browser to access the high
priority
>user's screen and perform any functionality as the servlet will just
validate
>the session and let the user perform the task.
Why would this happen?
It would only happen if you were NOT checking the user's security
level.
I would create class objects to represent the security level, ie:
class pri1
extends priority
{
String priority1;
}
class pri2
priority
{
String priority2;
}
Then you can place these on the user's session and test for them at
the start of every servlet method.
ie:
void doGet(....)
{
HttpSession sesh=request.getSession(false);
Priority x=(Priority)sesh.getAttribute("priority");
if(x instanceof pri1)
//user is priority 1
else
//user is pri2
}
Also note that the scenario you outline could only happen using
cookies, using URLs the session id itself is encoded in the URL so the
servlet wouyld just get invalid session ids.
Nic Ferrier
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
