WebApp Sec mailing list archives
Re: IE "refresh" method.
From: Peter Conrad <conrad () tivano de>
Date: Mon, 19 Jul 2004 10:32:40 +0200
Hi, On Fri, Jul 16, 2004 at 04:32:00PM -0500, Jason_D_Norman () Dell com wrote:
We have a strange behavior being noted on a web app. Within IE (version 6 patched to within an inch of it's life, on Windows XP), we have a page loaded that has a session timeout (via a Java method). The session timeout is set to, say, 5 minutes.
I suppose the session timeout is handled on the server side? What kind of a web application do you have? Java Servlets? ASP?
After 6 minutes, if a user refreshes the page using either our "refresh" button on the page (which uses 'java.document.location.reload(true)'), or if the user uses F5 to refresh the page, the session timeout is invoked and the user is redirected to the login page. However, if the user presses the refresh / reload button in the toolbar, the page refreshes....no timeout occurs....and the session timer re-sets to 0, as though the user just clicked thru from an authenticated page.
If the timeout is handled on the server, it doesn't matter what kind of button you press on the client. In that case the only sensible assumption is that pressing "Reload" in fact creates a new session, possibly be re-submitting a login form or sth like that. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- IE "refresh" method. Jason_D_Norman (Jul 17)
- Re: IE "refresh" method. Peter Conrad (Jul 19)
- <Possible follow-ups>
- RE: IE "refresh" method. BĂ©noni MARTIN (Jul 19)