1. I do not know exactly but it seems that any GET or POST
from that previous user's page will be followed by the
creation of a new session (the session in the context of
which this page was issued is invalidated already, isn't it).
2. What prevents you from checking whether the requested
GET or POST is allowed for the user owning the session
No. 2? The servlet validates the session; you then
(in doGet/doPost) validate the action requested.
> -----Original Message-----
> From: A mailing list for discussion about Sun Microsystem's Java Servlet
> API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of Punam
> Chordia
> Sent: Thursday, February 03, 2000 6:09 AM
> To: [EMAIL PROTECTED]
> Subject: Doubt about sessions...
>
> Hi friends,
> I have a doubt regarding sessions.
> Initially i shall give a background of what iam trying to do.
> I have a system in which a user logs in and according to
> his priority a menu is displayed.
> Suppose, a higher priority user performs the following steps:
> * logs in
> * performs some task
> * logs out.
> Now when he logs in i will create a new session for him.
> Say he has session ID 1.
> When he logs out, i will invalidate the session.
> Now IN THE SAME BROWSER WINDOW, another user logs in, who is of lesser
> priority
> that the previous user.Say he gets a session id 2.
> He can use the back button of the browser to access the high priority
> user's screen
> and perform any functionality as the servlet will just validate
> the session
> id(2 is valid)
> and let the user perform the task.
> I dont want this to happen.
> Any pointers are most welcome.
>
> Regards,
>
> Punam Chordia
> ITL Infosys
> Pune Infotech Park
> 91-02139-32800 Extn. 2025
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
