• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: login security issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: login security issue


  • Subject: Re: login security issue
  • From: Guido Neitzer <email@hidden>
  • Date: Thu, 13 Jul 2006 11:26:01 +0200

On 13.07.2006, at 11:02 Uhr, Dev WO wrote:


It may also be an issue depending on the laws in your area, for example in Europe, all public related website has to be Simple-A (so you can "afford" not te be valid) but should target Double-A (which require a valid page).


Yes, but the page stays accessible if the rest is okay, there is just one tag that isn't valid - Screenreaders and the like are not as dumb as the standardizing people ... they normally ignore tags they don't know.



I think you're not destroying the session when the user logout.
Just make sure the session is terminated in your code.


It seems to be - yes. I have tested this on my own app and if I do the following sequence (in Firefox):


1. Go to the login page
2. Login
3. Come to the first page of the app
4. Click on "Logout"
5. Use "Browser Back"

Firefox asks whether it should re-submit the form. But if it does, it get the session timeout page as expected. I do logouts with a redirect to the startpage like explained here:

<http://homepage.mac.com/kelleherk/iblog/C1216817469/E1693066109/ index.html>

Works as expected. The problem is, that some browsers ignore cache/ refresh settings of the page (Safari has done this in some version, I don't know whether others do the same).

So, it is a human problem: the user HAS to empty the cache, clear the cookies (if there are cookies), clear form values and close the window.

If you have a critical application you should bring a user to a dedicated logout page and explain these steps. Make it clear, that a browser back may or may not show others the content of the pages, the user has just visited. There might be also a caching proxy, which ignores cache/refresh tags ...

It's definitely not ONLY a technical problem. A user should never visit security sensitive pages from public computers or public networks (without using a secure tunnel like HTTPS or VPN). But you have to teach your users and they won't like it.

cug


_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
  • Follow-Ups:
    • Re: login security issue
      • From: Fabian Peters <email@hidden>
References: 
 >Re: login security issue (From: Cliff Tuel <email@hidden>)
 >Re: login security issue (From: Dev WO <email@hidden>)

  • Prev by Date: Re: Andrew Lindesay on development of Cocoa<--WS-->WO
  • Next by Date: Re: Gremlins somewhere but where?
  • Previous by thread: Re: login security issue
  • Next by thread: Re: login security issue
  • Index(es):
    • Date
    • Thread