>Which shows that Gmail (which I use to write this email) is badly
>designed, logout should be used via a POST only...
Well I prefer to use url/form "signing" for certain actions in some of my
webapps.
Fake example:
http://somewhere.null/webapp?do=transfer&src=1234&dst=5678&amt=5551&sig=ac36d415b9fc2ffb68171185ef2bd7da
Where sig could be a crypto hash of: the parameters, the session cookie/id
value (making replay harder) and a site secret. You could even add a salt
if you want, or do more sophisticated stuff.
Of course, for high impact actions, you'd get a confirmation page -
clicking yes submits the necessary confirmation keys/signatures to match
some of the parameters sent.
In Gmail's defense, not protecting logout isn't so bad (you might disagree
if you just composed a long message and haven't saved or sent it and
somehow got logged out ;) ).
>I think that it would be easier to fix the issue in the browser, to
>have browsers not use cookies over a redirect? (thinking only at
>session related scenarios)
That would break a fair number of things, or make things fairly
inconvenient. HTTP 302 redirects are a very common tool for webapps.
Many sites have the target page of a login form redirect to a subsequent
page. This is to prevent a browser refresh from rePOSTing the credentials.
Otherwise if you don't close the browser (yes I know ;) ), someone could
click the browser back button till the page just after the login form,
click refresh, and the browser will repost the login form values.
Regards,
Link.
Received on Sep 13 2005
Intro
