When a user successfully logs in, I record an attribute in the session to indicate a valid login. Subsequently, I redirect the user to a welcome page.
Now, if the user *closes* the browser window and opens a new one, they can go to the welcome page without any problem. This strange behaviour is exhibited in firefox and Netscape.
Is there anyway to circumvent this obvious problem? I noticed that some bank sites don't behave this way. They also seem to be using cgi's (shiver), a route I don't want to take. There must be a java/servlet solution to this problem.
Your comment/insight is welcome.