Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 081006.html (Request Expert securityfocus.com Support)

RE: Browser refresh sends username/password after log out -- URGENT

From: Michael Silk <michaels(at)phg.com.au>
Date: Tue Aug 05 2003 - 18:43:33 EDT


Well, I had a somewhat similar problem... my app uses NT authentication, so I needed to find the "AUTHORIZATION" header upon login to resolve their name (for various things) and I found that if I cleared the session (logout) and then went
"Back", the header was not sent again. so I simply
check for that (if my session is clear) and then I know they are coming to my page from an invalid zone... perhaps you can solve it similarly?

-----Original Message-----
From: K Kohli [mailto:krk41@yahoo.com]
Sent: Tuesday, 5 August 2003 2:56 PM
To: webappsec@securityfocus.com
Subject: Browser refresh sends username/password after log out -- URGENT

I am into remote application testing for a critical banking application. The following points will make the question clear
1)We login and browse the banking site, do transactions etc and then logout from there. 2)We get a page saying you have been successfully logged out
3) Now we do a Back and refresh on the browser window and we get a pop up "The page cannot be refreshed without resending the information. Press retry to sending it again ...." .
4) From here we say "Retry" and watch the data going in a Web Proxy.
5) We are able to see the Username and password again being sent to the server. When we compare this request with the one sent from the first login page( Where we give the username/password), both are exactly the same. I feel thaat the same request is being resend. This is a great security risk as the credentials are being passed again.
6) Can anyone explain this behaviour and how to avoid the resubmission of the credentials. 7) How many requests does the browser window store in its temporary cache.


" DON'T WORRY BE HAPPY, 
     EVERY NIGHT YOU HAVE SOME TROUBLE,
     IF YOU WORRY YOU MAKE IT DOUBLE,
     SO DON'T WORRY BE HAPPY NOW...."

__________________________________

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com

CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you.

This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons. Received on Tue Aug 5 21:10:59 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library