Hello
I have a situation where I'm using Tomcat 6.0.26 but the logging in / out of the application is not authenticated via Tomcat's: action='<%= response.encodeURL("j_security_check") %>' > method. The current system allows cookies to store userids which are used to show recent lists on the homepage of the application. So for a session, a user's userid can be read from the cookie and used to retrieve their details from the database and store them in the session, and render the hompage with its personalised recent list. The user's id can also then be placed in the login username box with the password stored in the session. But, in a single browser session, if the first user logs out, and another user logs in, the cookie is re-written with the new user's userid. But, because this is all in one browser session, use of the browser's back button allows the new user to access the profile details of the first user if the first user visited the page before logging off. No secure data is held in the system. Can anyone suggest a way to change this? I am no expert on session management. Thanks.