WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IE "refresh" method.

From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Mon, 19 Jul 2004 12:37:32 +0100
Many reasons can occur, let's try these randomly:
        - ISAPI cache is maybe on?
        - If you are using ASP, try inserting this in the top of your page (this should prevent your page from beeing 
cached):
                        <% 
                         pStr = "private, no-cache, must-revalidate" 
                         Response.ExpiresAbsolute = #2000-01-01# 
                         Response.AddHeader "pragma", "no-cache" 
                         Response.AddHeader "cache-control", pStr 
                        %> 
        - Do you have a proxy set up?
        - Maybe your IE settings keep some pages cached

Just some clues... :)

 

-----Message d'origine-----
De : Peter Conrad [mailto:conrad () tivano de] 
Envoyé : lundi 19 juillet 2004 09:33
À : webappsec () securityfocus com
Objet : Re: IE "refresh" method.

Hi,

On Fri, Jul 16, 2004 at 04:32:00PM -0500, Jason_D_Norman () Dell com wrote:

We have a strange behavior being noted on a web app.  Within IE 
(version
6 patched to within an inch of it's life, on Windows XP), we have a 
page loaded that has a session timeout (via a Java method).  The 
session timeout is set to, say, 5 minutes.


I suppose the session timeout is handled on the server side? What kind of a web application do you have? Java Servlets? 
ASP?


After 6 minutes, if a user refreshes the page using either our "refresh"
button on the page (which uses 'java.document.location.reload(true)'),
or if the user uses F5 to refresh the page, the session timeout is 
invoked and the user is redirected to the login page.

However, if the user presses the refresh / reload button in the 
toolbar, the page refreshes....no timeout occurs....and the session 
timer re-sets to 0, as though the user just clicked thru from an authenticated page.


If the timeout is handled on the server, it doesn't matter what kind of button you press on the client. In that case 
the only sensible assumption is that pressing "Reload" in fact creates a new session, possibly be re-submitting a login 
form or sth like that.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany
Previous By Date Next
Previous By Thread Next

Current thread: