Re: login security issue
Re: login security issue
- Subject: Re: login security issue
- From: Chuck Hill <email@hidden>
- Date: Wed, 12 Jul 2006 13:31:32 -0700
If you set the headers to disallow caching it should prevent what
Thomas is describing. However, if the user allowed the browser to
save their password, there is nothing you can do.
Chuck
On Jul 12, 2006, at 1:27 PM, Miguel Arroz wrote:
Hi!
Well, that's a problem on the browser, not your app. Browsers
tend to save the form fields automatically, including the password
ones (specially if people answer "Yes" to "That irritating dialog
that keeps appearing that I don't know what's it for" (the Should I
store this password dialog, of course!)).
I guess one way to reduce the probability of unauthorized access
is to include some king of hidden field with a random value that is
stored on the session (supposing you let the session be created
BEFORE the user logs-in, which is the normal WO way to work). When
some user goes back back back and tries to login, you check it the
hidden field has the right value.
Of course, this is a trivial problem for a hacker to solve, but
may solve the problem among "normal" users who know little about
computers.
Another solution might be using the JavaScript handler onUnload
(not sure if this is correct, but there is a handler called the the
browser leaves the page) and reset the login and password fields
right before the page goes away.
Warning: I have not tested any of this.
Yours
Miguel Arroz
On 2006/07/12, at 21:13, Thomas Pelaia II wrote:
Hi,
I have a WebObjects application in which people login using their
username and password on the main page. The problem is that when
users log out, and the session terminates, if the user then hits
the browser's back button the browser asks if the user wants to
resubmit form data and then it proceeds to log the user back in
from the login information the browser has apparently stored.
This is bad in a public environment where people log out but often
leave their browsers open.
I have verified that the session is in fact destroyed upon
termination and that the web browser is in fact resubmitting the
user login data.
Is there a way to prevent browsers from resubmitting the login
information?
thanks,
-tom
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40guiamac.com
This email sent to email@hidden
"We have no sympathy for the lost souls
We've chosen the path of disgrace
We give this life to our children
And teach them to hate this place" -- Apocalyptica, Life Burns!
Miguel Arroz
http://www.ipragma.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40global-village.net
This email sent to email@hidden
--
Coming sometime... - an introduction to web applications using
WebObjects and Xcode http://www.global-village.net/wointro
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems. http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden