WebApp Sec mailing list archives
Re: Browser refresh sends username/password after log out -- URGENT
From: "Jim McGarvey" <mcga0031 () umn edu>
Date: Wed, 6 Aug 2003 08:44:15 -0700
More clearly the issue here is also that: 1.) We login using username/password
Hi Krk, could you please clarify which type of authentication you are using to make sure we're not missing something obvious. Are you using form-based authentication or HTTP authentication? Form-based authentication is when you have a login page for your application containing a FORM with INPUT tags for the username and password. HTTP authentication typically protects an entire directory and the user's web browser will pop-up a login message box where they enter their username and password. Most of the responses to your question have assumed that you are using form-based authentication, because your initial e-mail stated that as the problem occurred you received the message "Press retry to send it again," assuming this was happening when you were trying to resend the first login page, not the 7th page. But if you get this message on the 7th page, then perhaps you aren't using form-based authentication to begin with. If you use form-based authentication, then I would say what's been said so far is pretty accurate. If you use HTTP authentication, that changes things. That would explain why you see your username and password get sent again when refreshing the logout page... or any of the application pages for that matter, since basic HTTP authentication will typically resend your username and password with each request. Regards, -Jim
Current thread:
- Re: Browser refresh sends username/password after log out -- URGENT, (continued)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Spicciati Jaime (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Phillip Schroeder (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT najeeb . hatami (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Tim Aranki (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Chris Scott (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT roshen.chandran (Aug 07)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Jim McGarvey (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)