WebApp Sec mailing list archives
RE: IE "refresh" method.
From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Mon, 19 Jul 2004 12:37:32 +0100
Many reasons can occur, let's try these randomly: - ISAPI cache is maybe on? - If you are using ASP, try inserting this in the top of your page (this should prevent your page from beeing cached): <% pStr = "private, no-cache, must-revalidate" Response.ExpiresAbsolute = #2000-01-01# Response.AddHeader "pragma", "no-cache" Response.AddHeader "cache-control", pStr %> - Do you have a proxy set up? - Maybe your IE settings keep some pages cached Just some clues... :) -----Message d'origine----- De : Peter Conrad [mailto:conrad () tivano de] Envoyé : lundi 19 juillet 2004 09:33 À : webappsec () securityfocus com Objet : Re: IE "refresh" method. Hi, On Fri, Jul 16, 2004 at 04:32:00PM -0500, Jason_D_Norman () Dell com wrote:
We have a strange behavior being noted on a web app. Within IE (version 6 patched to within an inch of it's life, on Windows XP), we have a page loaded that has a session timeout (via a Java method). The session timeout is set to, say, 5 minutes.
I suppose the session timeout is handled on the server side? What kind of a web application do you have? Java Servlets? ASP?
After 6 minutes, if a user refreshes the page using either our "refresh" button on the page (which uses 'java.document.location.reload(true)'), or if the user uses F5 to refresh the page, the session timeout is invoked and the user is redirected to the login page. However, if the user presses the refresh / reload button in the toolbar, the page refreshes....no timeout occurs....and the session timer re-sets to 0, as though the user just clicked thru from an authenticated page.
If the timeout is handled on the server, it doesn't matter what kind of button you press on the client. In that case the only sensible assumption is that pressing "Reload" in fact creates a new session, possibly be re-submitting a login form or sth like that. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- IE "refresh" method. Jason_D_Norman (Jul 17)
- Re: IE "refresh" method. Peter Conrad (Jul 19)
- <Possible follow-ups>
- RE: IE "refresh" method. Bénoni MARTIN (Jul 19)