WebApp Sec mailing list archives
RE: Browser refresh sends username/password after log out -- URGENT
From: <roshen.chandran () paladion net>
Date: Thu, 7 Aug 2003 09:07:25 +0530
Extending Chris' note, we have seen this behaviour when the login post directly goes to a new frameset which then frames all the remaning pages till logout. The parent frame still "remembers" the variables posted to receive it even when you navigate the other pages. This problem can be solved if a re-direction is used on authentication and before the frameset is created; the username/passwords will not get re-sent on browser refresh of the 6th page if the frameset is itself created through a re-direction in the first place. Thanks, -Roshen Paladion Networks www.paladion.net -----Original Message----- From: Chris Scott [mailto:cgscott () ll mit edu] Sent: Wednesday, August 06, 2003 7:56 PM To: webappsec () securityfocus com Subject: Re: Browser refresh sends username/password after log out -- URGENT Possibly due to the use of frames. The result of the POST for the login form could be a frameset, and pages 2 thru 7 are displayed in a frame. So the reload tries to refresh the page containing the frameset, which resulted from the login POST. Chris
Current thread:
- RE: Browser refresh sends username/password after log out -- URGENT, (continued)
- RE: Browser refresh sends username/password after log out -- URGENT Tiago Halm (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Spicciati Jaime (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Phillip Schroeder (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT najeeb . hatami (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Tim Aranki (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Chris Scott (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT roshen.chandran (Aug 07)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Jim McGarvey (Aug 06)