WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Browser refresh sends username/password after log out -- URGENT

From: <roshen.chandran () paladion net>
Date: Thu, 7 Aug 2003 09:07:25 +0530

Extending Chris' note, we have seen this behaviour when the login post
directly goes to a new frameset which then frames all the remaning pages
till logout. The parent frame still "remembers" the variables posted to
receive it even when you navigate the other pages.

This problem can be solved if a re-direction is used on authentication
and before the frameset is created; the username/passwords will not get
re-sent on browser refresh of the 6th page if the frameset is itself
created through a re-direction in the first place.

Thanks,
-Roshen

Paladion Networks
www.paladion.net




-----Original Message-----
From: Chris Scott [mailto:cgscott () ll mit edu] 
Sent: Wednesday, August 06, 2003 7:56 PM
To: webappsec () securityfocus com
Subject: Re: Browser refresh sends username/password after log out --
URGENT


Possibly due to the use of frames. The result of the POST for the login 
form could be a frameset, and pages 2 thru 7 are displayed in a frame. 
So the reload tries to refresh the page containing the frameset, which 
resulted from the login POST.

Chris
Previous By Date Next
Previous By Thread Next

Current thread: