WebApp Sec mailing list archives
RE: Browser refresh sends username/password after log out -- URGENT
From: "Tiago Halm" <thalm () netcabo pt>
Date: Tue, 5 Aug 2003 17:36:24 +0100
When you press "Back", your browser tries to use the page stored in the cache. To avoid your browser to use the cache, all you need to do is to make your web server deliver pages not cacheable. Depending on the web server and its functionality there is always a way to do it. Beware of the proxy cache and client cache. You must "tell" the proxy and the client not to cache the page since it has expired already. Example Headers for the Http Response: (hope this is correct, but please do read the RFC for more accurate info) Pragma: No-Cache Cache-Control: No-Cache Expires: -1 etc... In important and critical applications such as a banking application that is a must! Hope it helps, Tiago Halm -----Original Message----- From: K Kohli [mailto:krk41 () yahoo com] Sent: terça-feira, 5 de Agosto de 2003 5:56 To: webappsec () securityfocus com Subject: Browser refresh sends username/password after log out -- URGENT I am into remote application testing for a critical banking application. The following points will make the question clear 1)We login and browse the banking site, do transactions etc and then logout from there. 2)We get a page saying you have been successfully logged out 3) Now we do a Back and refresh on the browser window and we get a pop up "The page cannot be refreshed without resending the information. Press retry to sending it again ...." . 4) From here we say "Retry" and watch the data going in a Web Proxy. 5) We are able to see the Username and password again being sent to the server. When we compare this request with the one sent from the first login page( Where we give the username/password), both are exactly the same. I feel thaat the same request is being resend. This is a great security risk as the credentials are being passed again. 6) Can anyone explain this behaviour and how to avoid the resubmission of the credentials. 7) How many requests does the browser window store in its temporary cache. ===== " DON'T WORRY BE HAPPY, EVERY NIGHT YOU HAVE SOME TROUBLE, IF YOU WORRY YOU MAKE IT DOUBLE, SO DON'T WORRY BE HAPPY NOW...." __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- Browser refresh sends username/password after log out -- URGENT K Kohli (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Alex 'CAVE' Cernat (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Tiago Halm (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Spicciati Jaime (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Phillip Schroeder (Aug 05)
- <Possible follow-ups>
- Re: Browser refresh sends username/password after log out -- URGENT najeeb . hatami (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Tim Aranki (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Chris Scott (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT roshen.chandran (Aug 07)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)