Hi,

We have an web application running on JBoss 3.2.3 which authenticates against a LDAP server using form based authentication and JAAS.
There is a custom login module which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule to achieve the same and has been configured using login-config.xml.

Everything works fine except when we encounter the below scenario.
a) Login to the application as user "A"
b) Using the Browser back button reach the login screen again (i.e without logging out )
c) Now Login as user "B". (in the same browser session)
d) User "B" now has the principals of user "A" i.e.

Subject subj = SecurityAssociation.getSubject();

the above statement retreives the Subject of user "A" rather than of user "B".

(There is no problem when the user "A" does a proper log out and then re-logins as a different user "B")

Can some one suggest how this problem can be resolved or how user can be prevented from doing the above action?

Thanks in advance
Vikram