• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: login security issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: login security issue

  • Subject: Re: login security issue
  • From: Miguel Arroz <email@hidden>
  • Date: Wed, 12 Jul 2006 21:27:42 +0100
Hi!

Well, that's a problem on the browser, not your app. Browsers tend to save the form fields automatically, including the password ones (specially if people answer "Yes" to "That irritating dialog that keeps appearing that I don't know what's it for" (the Should I store this password dialog, of course!)).

I guess one way to reduce the probability of unauthorized access is to include some king of hidden field with a random value that is stored on the session (supposing you let the session be created BEFORE the user logs-in, which is the normal WO way to work). When some user goes back back back and tries to login, you check it the hidden field has the right value.

Of course, this is a trivial problem for a hacker to solve, but may solve the problem among "normal" users who know little about computers.

Another solution might be using the JavaScript handler onUnload (not sure if this is correct, but there is a handler called the the browser leaves the page) and reset the login and password fields right before the page goes away.

  Warning: I have not tested any of this.

  Yours

Miguel Arroz

On 2006/07/12, at 21:13, Thomas Pelaia II wrote:

Hi,

I have a WebObjects application in which people login using their username and password on the main page. The problem is that when users log out, and the session terminates, if the user then hits the browser's back button the browser asks if the user wants to resubmit form data and then it proceeds to log the user back in from the login information the browser has apparently stored. This is bad in a public environment where people log out but often leave their browsers open.

I have verified that the session is in fact destroyed upon termination and that the web browser is in fact resubmitting the user login data.

Is there a way to prevent browsers from resubmitting the login information?

thanks,
-tom




_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40guiamac.com

This email sent to email@hidden 


"We have no sympathy for the lost souls
We've chosen the path of disgrace
We give this life to our children
And teach them to hate this place" -- Apocalyptica, Life Burns!

Miguel Arroz
http://www.ipragma.com


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: login security issue

      • From: Chuck Hill <email@hidden>
      • 





References: 


 >login security issue (From: Thomas Pelaia II <email@hidden>)






    

  • Prev by Date:
login security issue

    • 

  • Next by Date:
Re: login security issue

    • 

  • Previous by thread:
login security issue

    • 

  • Next by thread:
Re: login security issue

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •