Hosting Provided By

RE: Browser refresh sends username/password after log out -- URGENT

From: Tim Aranki <tim.aranki(at)dev-quest.com>
Date: Wed Aug 06 2003 - 09:45:07 EDT

The fact that a refresh on the 7th page is sending the form vars from the login sounds to me like something else is happening:

Refresh on 7th page
App determins that user is not logged in and redirects to login page
Browser tries to be smart, and on the redirect sends its cached form vars for the login page

Do you see any redirect headers in the net traffic? Unless you are writing the login form fields to every page, I do not see how/why the browser would resend those specific field vars...why would it not send all field vars from the last 6 pages then? My guess is a redirect, and a browser that is trying to be too smart.

Hth,
-tim

-----Original Message-----
From: Krk [mailto:krk41@yahoo.com]
Sent: Tuesday, August 05, 2003 11:59 PM
To: Ingo Struck
Cc: webappsec@securityfocus.com
Subject: RE: Browser refresh sends username/password after log out -- URGENT Hi Ingo ...
thanks for the reply.

More clearly the issue here is also that:

1.) We login using username/password
2.) Suppose we have browsed 7 pages after log in and then we say logout and we get logout message so after logging in this is the 8th page.

3.) Now after this we just do 1 back, so effectively we should bein the 7th page that we had browsed.

4.) Now we do a refresh( this is again on the 7th page and not on the login page) and the same request that we had sent in the login form is being resent. This is what i am wondering that how come the refresh sends the form fields that were entered in the Login Form and not the "Logout" request which
we had sent from the 7th page.
5)hope I am making the question clear.

Do you need help?

thnaks

Krk
--- Ingo Struck <ingo@ingostruck.de> wrote:
> Hi...

" DON'T WORRY BE HAPPY,

     EVERY NIGHT YOU HAVE SOME TROUBLE,
     IF YOU WORRY YOU MAKE IT DOUBLE,
     SO DON'T WORRY BE HAPPY NOW...."

__________________________________

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Received on Wed Aug 6 09:55:37 2003

This message: [ Message body ]
Next message: Chris Scott: "Re: Browser refresh sends username/password after log out -- URGENT"
Previous message: contact(at)proofsecure.com: "Paros v3.0 for web application security assessment"
In reply to: Krk: "RE: Browser refresh sends username/password after log out -- URGENT"
In reply to Andy Talbot: "RE: Browser refresh sends username/password after log out -- URGE NT"
Next in thread: Chris Scott: "Re: Browser refresh sends username/password after log out -- URGENT"
Reply: Chris Scott: "Re: Browser refresh sends username/password after log out -- URGENT"
Reply: Jim McGarvey: "Re: Browser refresh sends username/password after log out -- URGENT"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT