>
> 1. A user logs in and details are stored in the session, the
> session is
> checked in every servlet to see if it is null and therefore
> if access should
> be allowed.
>
> 2. The user does some stuff then logs out, the logout servlet uses
> session.invalidate() to prevent anyone using the back button
> to get back
> into the system.
>
Maybe I've misreead the problem, but would it help to explicitly set all the
session variables to null just before calling session.invalidate() ? Then
the session hanging around wouldn't hold any sensitive data.
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
