WebApp Sec mailing list archives
Re: Browser refresh sends username/password after log out -- URGENT
From: Phillip Schroeder <phils () saintjoe edu>
Date: Tue, 05 Aug 2003 13:58:46 -0500
The problem with this, if I remember correctly, is that browsers contain their own "history cache" of sorts, that pays no attention to HTTP directives (such as "Cache-Control: no-cache"). As Ingo said, this is a "feature" of today's browsers used to give the user the closest representation of a page in the browser's history.
I've done quite a bit of web application programming, and I remember doing a bit of research on the subject. Unfortunately, I also remember that the best answer I could come up with was also along the lines of what Ingo had to say: make sure the user knows to close the browser when they are finished with a sensitive transaction.
The only other option is to send a key with each form submission...much like what Ingo already said. It's definitely more work, but you'll be able to sleep at night.
Wow...if this wasn't a plug for Ingo Struck, I don't know what is. -p Imre Kertesz wrote:
If I understand this correctly, the application is allowing cacheing of the credentials. One way to discourage this, from the application's perspective, is to include a script function such as <FORM AUTOCOMPLETE="off"> within the splash page script, as well as the appropriate Cache-Control directive (e.g. "Cache-Control: no-cache"). Just the fact that this cacheing of credentials is possible within a banking application makes the app a potential target for attackers who may see it as a treasure trove of vulnerabilities. -I
-- Phil Schroeder phils () saintjoe edu http://phigga.blogspot.com ------------------------------------------------------------------ Computer Systems Analyst / Webmaster Saint Joseph's College"I'm all in favor of keeping dangerous weapons out of the hands of fools. Let's start with typewriters."
- Frank Lloyd Wright (1868-1959)
Current thread:
- Browser refresh sends username/password after log out -- URGENT K Kohli (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Alex 'CAVE' Cernat (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Tiago Halm (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Spicciati Jaime (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Phillip Schroeder (Aug 05)
- <Possible follow-ups>
- Re: Browser refresh sends username/password after log out -- URGENT najeeb . hatami (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Tim Aranki (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Chris Scott (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT roshen.chandran (Aug 07)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Jim McGarvey (Aug 06)