Re: login security issue
Re: login security issue
- Subject: Re: login security issue
- From: Guido Neitzer <email@hidden>
- Date: Thu, 13 Jul 2006 11:26:01 +0200
On 13.07.2006, at 11:02 Uhr, Dev WO wrote:
It may also be an issue depending on the laws in your area, for
example in Europe, all public related website has to be Simple-A
(so you can "afford" not te be valid) but should target Double-A
(which require a valid page).
Yes, but the page stays accessible if the rest is okay, there is just
one tag that isn't valid - Screenreaders and the like are not as dumb
as the standardizing people ... they normally ignore tags they don't
know.
I think you're not destroying the session when the user logout.
Just make sure the session is terminated in your code.
It seems to be - yes. I have tested this on my own app and if I do
the following sequence (in Firefox):
1. Go to the login page
2. Login
3. Come to the first page of the app
4. Click on "Logout"
5. Use "Browser Back"
Firefox asks whether it should re-submit the form. But if it does, it
get the session timeout page as expected. I do logouts with a
redirect to the startpage like explained here:
<http://homepage.mac.com/kelleherk/iblog/C1216817469/E1693066109/
index.html>
Works as expected. The problem is, that some browsers ignore cache/
refresh settings of the page (Safari has done this in some version, I
don't know whether others do the same).
So, it is a human problem: the user HAS to empty the cache, clear the
cookies (if there are cookies), clear form values and close the window.
If you have a critical application you should bring a user to a
dedicated logout page and explain these steps. Make it clear, that a
browser back may or may not show others the content of the pages, the
user has just visited. There might be also a caching proxy, which
ignores cache/refresh tags ...
It's definitely not ONLY a technical problem. A user should never
visit security sensitive pages from public computers or public
networks (without using a secure tunnel like HTTPS or VPN). But you
have to teach your users and they won't like it.
cug
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden