I realize that you're asking if there is a Tomcat-configurable solution to this problem .... but that isn't the best way to handle this in the Java world.
The Tomcat-configurable way might be to force a directory (or web-app) to force a new hit to the server instead of allowing the page to be cached in the browser. I'm not sure how you do this, but I am sure someone does. There is also a way to put a directive in the JSP page that forces it to refresh every time the page is hit ... there's a way to do it, but I've since forgotten .... yeah, I know, I am just so full of information. My personal best way to solve this is to use Servlets ... if my user goes to my login.jsp page, that's fine ... when they submit though it goes to a Login Servlet which does all the work and then re-directs to the login.jsp page with errors or failed validation. The Servlet uses a javabean to query the database, and if all is well, then the servlet redirects to the web-site itself. The Login Servlet also sets a user object in session ... so that if a user tries to bookmark a URL ... if the user object doesn't exist (because of timing out, or whatever), then I redirect them back to the login.jsp. I know a lot of people don't like that because they have server farms and the user has to be re-directed back to the same machine and objects in session take-up system memory. But, I don't put a lot into that object, it's very minimal, and I don't get many users for it to be an issue, and I bumped up the memory on that web-server anyway. Hope this helps. Thanks. Tom ----- Original Message ----- From: "Chaikin, Yaakov Y (US SSA)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 08, 2003 5:59 PM Subject: How to prevent direct access to login.jsp Hi, I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Thanks. Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]