3 messages in org.apache.tomcat.usersRE: Tomcat 4 clears login parameters?| From | Sent On | Attachments |
|---|---|---|
| Lawlor, Frank | May 17, 2002 10:59 pm | |
| Craig R. McClanahan | May 18, 2002 10:33 am | |
| Lawlor, Frank | May 20, 2002 7:33 am |
| Subject: | RE: Tomcat 4 clears login parameters? | |
|---|---|---|
| From: | Lawlor, Frank (Fran...@AthensGroup.com) | |
| Date: | May 20, 2002 7:33:57 am | |
| List: | org.apache.tomcat.users | |
Craig,
Thanks for the response.
Yes, I agree that our use of parameters to determine the state of the login page wasn't portable, etc., but it did have the advantage of working reliably (on Tomcat 3.x).
Unfortunately the use of the standard browser tags for no-cache, expiration, etc. don't seem to work reliably at all. Even IE6 doesn't work right.
MS has a couple of pages on this, but their suggestions doesn't work either.
With the large number of people who want this you would think it shouldn't be hard for the browsers to make the tags work.
Can Tomcat help avoid this problem by putting up the form-based login page in its own window without any controls on it (like basic auth does)?
Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions.
-----Original Message----- From: Craig R. McClanahan [mailto:crai...@apache.org] Sent: Saturday, May 18, 2002 12:34 PM To: Tomcat Users List Subject: Re: Tomcat 4 clears login parameters?
On Sat, 18 May 2002, Lawlor, Frank wrote:
Date: Sat, 18 May 2002 01:00:11 -0500 From: "Lawlor, Frank" <Fran...@AthensGroup.com> Reply-To: Tomcat Users List <tomc...@jakarta.apache.org> To: "'Tomcat (E-mail)'" <tomc...@jakarta.apache.org> Subject: Tomcat 4 clears login parameters?
One problem that Tomcat web apps have is that the login page remains in the browser history and if the user navigates to one of these and tries to use it, they get a rather incomprehensible result.
In Tomcat 3.x we had a good solution (the only one I have been able to find anywhere) which depends upon setting a parameter to indicate that the page has been used (this is used by JavaScript) to write "Page invalidated" or whatever you want).
Unfortunately Tomcat 4.x seems to clear all the parameters. I suppose there may be some good security reason for clearing the username and password, but can't it leave other parameters alone?
Storing the username and password (from a form-based login) as attributes visible to the application was a very poor design decision in 3.3. You have unfortunately gotten yourself dependent on a container-specific implementation detail that isn't portable to anywhere else (even to other Tomcat versions).
You should put the appropriate HTML meta tags at the top of your login page to tell the browser not to cache the data -- that way, the user will get an "expired" error if they try to resubmit it, the same as you could do on any other form in the app when you want to avoid resubmits.
Thanks,
Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions.
Craig
-- To unsubscribe, e-mail:
<mailto:tomc...@jakarta.apache.org> For additional commands, e-mail: <mailto:tomc...@jakarta.apache.org>