Re: Browser refresh sends username/password after log out -- URGENT

[Alex 'CAVE' Cernat <cave () cernat ro>]

> I am into remote application testing for a critical
> banking application. The following points will make
> the question clear

you didn't specify what type of authentication do you use; i believe is
401 (basic authentication or something like that); when a browser
receives a 401 error code (auth. required), asks the user for
name/password (or take it directly if save password was checked before)
and send the username/password almost in clear (it's base64, but very
easy crack-able); afaik any subsequent page for that server will be
request with the authentication header on, no matter which page is; and
afaik, there is no antidot for basic authentication, you can only close
the window or the browser (i meen all windows of that browser) to
'logout'

i'm not sure this is what you have ... 

Alex