WebApp Sec mailing list archives
RE: Browser refresh sends username/password after log out -- URGE NT
From: Dean Saxe <Dean.Saxe () magnetbanking com>
Date: Tue, 5 Aug 2003 09:36:53 -0400
One way to solve this issue is to use a nonce on the login page. What I have done to prevent resubmission of a form containing the user's credentials is to include a nonce (random number) in the login form. The value for the nonce is set into the user's state as well. When the form is submitted for login the nonce in the POST is compared to the nonce in the user's state, if they match the nonce is deleted from the user's state and the login continues. If they don't match (in the scenario you describe below) the user is bounced back to the login screen again with an error message and a new pair of nonce values. Hope this helps. -dhs -----Original Message----- From: K Kohli [mailto:krk41 () yahoo com] Sent: Tuesday, August 05, 2003 12:56 AM To: webappsec () securityfocus com Subject: Browser refresh sends username/password after log out -- URGENT I am into remote application testing for a critical banking application. The following points will make the question clear 1)We login and browse the banking site, do transactions etc and then logout from there. 2)We get a page saying you have been successfully logged out 3) Now we do a Back and refresh on the browser window and we get a pop up "The page cannot be refreshed without resending the information. Press retry to sending it again ...." . 4) From here we say "Retry" and watch the data going in a Web Proxy. 5) We are able to see the Username and password again being sent to the server. When we compare this request with the one sent from the first login page( Where we give the username/password), both are exactly the same. I feel thaat the same request is being resend. This is a great security risk as the credentials are being passed again. 6) Can anyone explain this behaviour and how to avoid the resubmission of the credentials. 7) How many requests does the browser window store in its temporary cache. ===== " DON'T WORRY BE HAPPY, EVERY NIGHT YOU HAVE SOME TROUBLE, IF YOU WORRY YOU MAKE IT DOUBLE, SO DON'T WORRY BE HAPPY NOW...." __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- RE: Browser refresh sends username/password after log out -- URGE NT Dean Saxe (Aug 05)
- <Possible follow-ups>
- RE: Browser refresh sends username/password after log out -- URGE NT Andy Talbot (Aug 06)