|
WebApp Sec
mailing list archives
RE: Browser refresh sends username/password after log out -- URGENT
From: <roshen.chandran () paladion net>
Date: Thu, 7 Aug 2003 09:07:25 +0530
Extending Chris' note, we have seen this behaviour when the login post
directly goes to a new frameset which then frames all the remaning pages
till logout. The parent frame still "remembers" the variables posted to
receive it even when you navigate the other pages.
This problem can be solved if a re-direction is used on authentication
and before the frameset is created; the username/passwords will not get
re-sent on browser refresh of the 6th page if the frameset is itself
created through a re-direction in the first place.
Thanks,
-Roshen
Paladion Networks
www.paladion.net
-----Original Message-----
From: Chris Scott [mailto:cgscott () ll mit edu]
Sent: Wednesday, August 06, 2003 7:56 PM
To: webappsec () securityfocus com
Subject: Re: Browser refresh sends username/password after log out --
URGENT
Possibly due to the use of frames. The result of the POST for the login
form could be a frameset, and pages 2 thru 7 are displayed in a frame.
So the reload tries to refresh the page containing the frameset, which
resulted from the login POST.
Chris
 By Date 
By Thread
Current thread:
- RE: Browser refresh sends username/password after log out -- URGENT, (continued)
RE: Browser refresh sends username/password after log out -- URGENT Michael Silk (Aug 05)
|
Intro
