WebApp Sec: Re: Browser refresh sends username/password after log out -- URGENT

[Phillip Schroeder <phils () saintjoe edu>]

The problem with this, if I remember correctly, is that browsers contain 
their own "history cache" of sorts, that pays no attention to HTTP 
directives (such as "Cache-Control: no-cache").  As Ingo said, this is a 
"feature" of today's browsers used to give the user the closest 
representation of a page in the browser's history.
I've done quite a bit of web application programming, and I remember 
doing a bit of research on the subject.  Unfortunately, I also remember 
that the best answer I could come up with was also along the lines of 
what Ingo had to say: make sure the user knows to close the browser when 
they are finished with a sensitive transaction.
The only other option is to send a key with each form submission...much 
like what Ingo already said.  It's definitely more work, but you'll be 
able to sleep at night.
Wow...if this wasn't a plug for Ingo Struck, I don't know what is.

-p

Imre Kertesz wrote:
> If I understand this correctly, the application is allowing cacheing of
> the credentials. One way to discourage this, from the application's
> perspective, is to include a script function such as <FORM
> AUTOCOMPLETE="off"> within the splash page script, as well as the
> appropriate Cache-Control directive (e.g. "Cache-Control: no-cache").
> Just the fact that this cacheing of credentials is possible within a
> banking application makes the app a potential target for attackers who
> may see it as a treasure trove of vulnerabilities.
>
> -I
--
Phil Schroeder    phils () saintjoe edu    http://phigga.blogspot.com
------------------------------------------------------------------
Computer Systems Analyst / Webmaster        Saint Joseph's College


"I'm all in favor of keeping dangerous weapons out of the hands of 
fools. Let's start with typewriters."
    - Frank Lloyd Wright (1868-1959)