[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Browser Cache

From: spawn security <spawn.security@xxxxxxxxx>
Subject: [WEB SECURITY] Browser Cache
Date: Tue, 18 Oct 2005 22:05:42 -0400

------=_Part_31419_30471957.1129687542612
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I'm trying to find some solutions for the following issue:
  Browser is caching user credentials at login page.
 1 - user logs in
2 - uses the site
3 - logs out
4 - goes to browser history an selects login page
5 - clicks on forward and browser shows "this page has expired. if you want
to repost the data please click refresh"
6 - clicks on refresh and the browser sends the credentials again.
 The initial solution proposed is to return a "302 redirect" when the user
posts the username/password. This solution has a performance impact, since
all logins will need an additional request. Would you know another way to
invalidate the browser's cache ? We've tried the cache control headers but
it is not working.
 Best,
SS

------=_Part_31419_30471957.1129687542612
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>I'm trying&nbsp;to find some solutions for the following issue:</div>
<div>&nbsp;</div>
<div>&nbsp;Browser is caching user credentials at login page. </div>
<div>&nbsp;</div>
<div>1 - user logs in</div>
<div>2 - uses the site</div>
<div>3 - logs out</div>
<div>4 - goes to browser history an selects login page</div>
<div>5 - clicks on forward and browser shows &quot;this page has expired. i=
f you want to repost the data please click refresh&quot;</div>
<div>6 - clicks on refresh and the browser sends the credentials again. </d=
iv>
<div>&nbsp;</div>
<div>The initial solution proposed is to return a &quot;302 redirect&quot; =
when the user posts the username/password. This solution has a performance =
impact, since all logins will need an additional request. Would you know an=
other way to invalidate the browser's cache ? We've tried the cache control=
 headers but it is not working.=20
</div>
<div>&nbsp;</div>
<div>Best,</div>
<div>SS</div>

------=_Part_31419_30471957.1129687542612--

Follow-Ups:
- Re: [WEB SECURITY] Browser Cache
  - From: Pilon Mntry
- Re: [WEB SECURITY] Browser Cache
  - From: Samuel BONNANFANT
- RE: [WEB SECURITY] Browser Cache
  - From: Mike Fratto
- RE: [WEB SECURITY] Browser Cache
  - From: Balaji

Prev by Date: Re: [WEB SECURITY] The tsunami hacker
Next by Date: Re: [WEB SECURITY] Browser Cache
Previous by thread: [WEB SECURITY] Re: Importing large code piece into Javascript context without SCRIPT SRC=...
Next by thread: Re: [WEB SECURITY] Browser Cache
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site