• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: login security issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: login security issue

  • Subject: Re: login security issue
  • From: Guido Neitzer <email@hidden>
  • Date: Thu, 13 Jul 2006 11:26:01 +0200
On 13.07.2006, at 11:02 Uhr, Dev WO wrote:


It may also be an issue depending on the laws in your area, for example in Europe, all public related website has to be Simple-A (so you can "afford" not te be valid) but should target Double-A (which require a valid page).


Yes, but the page stays accessible if the rest is okay, there is just one tag that isn't valid - Screenreaders and the like are not as dumb as the standardizing people ... they normally ignore tags they don't know.


I think you're not destroying the session when the user logout.
Just make sure the session is terminated in your code.


It seems to be - yes. I have tested this on my own app and if I do the following sequence (in Firefox):

1. Go to the login page
2. Login
3. Come to the first page of the app
4. Click on "Logout"
5. Use "Browser Back"

Firefox asks whether it should re-submit the form. But if it does, it get the session timeout page as expected. I do logouts with a redirect to the startpage like explained here:

<http://homepage.mac.com/kelleherk/iblog/C1216817469/E1693066109/ index.html>

Works as expected. The problem is, that some browsers ignore cache/ refresh settings of the page (Safari has done this in some version, I don't know whether others do the same).

So, it is a human problem: the user HAS to empty the cache, clear the cookies (if there are cookies), clear form values and close the window.

If you have a critical application you should bring a user to a dedicated logout page and explain these steps. Make it clear, that a browser back may or may not show others the content of the pages, the user has just visited. There might be also a caching proxy, which ignores cache/refresh tags ...

It's definitely not ONLY a technical problem. A user should never visit security sensitive pages from public computers or public networks (without using a secure tunnel like HTTPS or VPN). But you have to teach your users and they won't like it.

cug


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: login security issue

      • From: Fabian Peters <email@hidden>
      • 





References: 


 >Re: login security issue (From: Cliff Tuel <email@hidden>)


 >Re: login security issue (From: Dev WO <email@hidden>)






    

  • Prev by Date:
Re: Andrew Lindesay on development of Cocoa<--WS-->WO

    • 

  • Next by Date:
Re: Gremlins somewhere but where?

    • 

  • Previous by thread:
Re: login security issue

    • 

  • Next by thread:
Re: login security issue

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •