WebApp Sec mailing list archives
Re: Browser refresh sends username/password after log out -- URGENT
From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Tue, 5 Aug 2003 14:34:56 +0300
I am into remote application testing for a critical banking application. The following points will make the question clear
you didn't specify what type of authentication do you use; i believe is 401 (basic authentication or something like that); when a browser receives a 401 error code (auth. required), asks the user for name/password (or take it directly if save password was checked before) and send the username/password almost in clear (it's base64, but very easy crack-able); afaik any subsequent page for that server will be request with the authentication header on, no matter which page is; and afaik, there is no antidot for basic authentication, you can only close the window or the browser (i meen all windows of that browser) to 'logout' i'm not sure this is what you have ... Alex
Current thread:
- Browser refresh sends username/password after log out -- URGENT K Kohli (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Alex 'CAVE' Cernat (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Tiago Halm (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Spicciati Jaime (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Phillip Schroeder (Aug 05)
- <Possible follow-ups>
- Re: Browser refresh sends username/password after log out -- URGENT najeeb . hatami (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Tim Aranki (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Chris Scott (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)