Craig, Thanks for the response.
Yes, I agree that our use of parameters to determine the state of the login page wasn't portable, etc., but it did have the advantage of working reliably (on Tomcat 3.x). Unfortunately the use of the standard browser tags for no-cache, expiration, etc. don't seem to work reliably at all. Even IE6 doesn't work right. MS has a couple of pages on this, but their suggestions doesn't work either. With the large number of people who want this you would think it shouldn't be hard for the browsers to make the tags work. Can Tomcat help avoid this problem by putting up the form-based login page in its own window without any controls on it (like basic auth does)? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. > -----Original Message----- > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Sent: Saturday, May 18, 2002 12:34 PM > To: Tomcat Users List > Subject: Re: Tomcat 4 clears login parameters? > > > > > On Sat, 18 May 2002, Lawlor, Frank wrote: > > > Date: Sat, 18 May 2002 01:00:11 -0500 > > From: "Lawlor, Frank" <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: "'Tomcat (E-mail)'" <[EMAIL PROTECTED]> > > Subject: Tomcat 4 clears login parameters? > > > > One problem that Tomcat web apps have is that > > the login page remains in the browser history > > and if the user navigates to one > > of these and tries to use it, they get a rather > > incomprehensible result. > > > > In Tomcat 3.x we had a good solution (the only > > one I have been able to find anywhere) which > > depends upon setting a parameter to indicate > > that the page has been used (this is used by > > JavaScript) to write "Page invalidated" or whatever > > you want). > > > > Unfortunately Tomcat 4.x seems to clear all the > > parameters. I suppose there may be some > > good security reason for clearing the username > > and password, but can't it leave other parameters > > alone? > > > > Storing the username and password (from a form-based login) > as attributes > visible to the application was a very poor design decision in > 3.3. You > have unfortunately gotten yourself dependent on a container-specific > implementation detail that isn't portable to anywhere else > (even to other > Tomcat versions). > > You should put the appropriate HTML meta tags at the top of your login > page to tell the browser not to cache the data -- that way, > the user will > get an "expired" error if they try to resubmit it, the same > as you could > do on any other form in the app when you want to avoid resubmits. > > > Thanks, > > > > Frank Lawlor > > Athens Group, Inc. > > (512) 345-0600 x151 > > Athens Group, an employee-owned consulting firm integrating > technology > > strategy and software solutions. > > > > Craig > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
