I'm working on a project with a friend to see if we can make our own little website. he was decided that for username and pass submission we have to use GET instead of POST for some kind of firewall or some issue(i don't know, that's just what he said)

I am using jboss, the j_security auth type, and a GET method. He is going to try and implement HTTPS at some point. The problem i have is that when you enter an invalid username and pass i have the web.xml setup to redirect to a "bad.jsp" that says wrong try again, but in the url it clearly states the GET variables. I would like to find a way to keep the variables out of the redirected url.

I have make some javascript to detect if jsecuirty is in the url then re-redirect to bad.jsp without anything. the only small problem is that the original URL with vars is still in the history on some browsers. So that only kind of works. is there a better way to do this?