Hosting Provided By

RE: Browser refresh sends username/password after log out -- URGENT

From: <roshen.chandran(at)paladion.net>
Date: Wed Aug 06 2003 - 23:37:25 EDT

Extending Chris' note, we have seen this behaviour when the login post directly goes to a new frameset which then frames all the remaning pages till logout. The parent frame still "remembers" the variables posted to receive it even when you navigate the other pages.

This problem can be solved if a re-direction is used on authentication and before the frameset is created; the username/passwords will not get re-sent on browser refresh of the 6th page if the frameset is itself created through a re-direction in the first place.

Thanks,
-Roshen

Paladion Networks
www.paladion.net

-----Original Message-----

From: Chris Scott [mailto:cgscott@ll.mit.edu] Sent: Wednesday, August 06, 2003 7:56 PM To: webappsec@securityfocus.com
Subject: Re: Browser refresh sends username/password after log out -- URGENT Possibly due to the use of frames. The result of the POST for the login form could be a frameset, and pages 2 thru 7 are displayed in a frame. So the reload tries to refresh the page containing the frameset, which resulted from the login POST.

Chris Received on Thu Aug 7 07:17:35 2003

This message: [ Message body ]
Next message: PortSwigger: "Custom session tokens and XSS"
Previous message: Jim McGarvey: "Re: Browser refresh sends username/password after log out -- URGENT"
In reply to: Chris Scott: "Re: Browser refresh sends username/password after log out -- URGENT"
Next in thread: Jim McGarvey: "Re: Browser refresh sends username/password after log out -- URGENT"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT

Do you need help?