Ask a Question related to ASP.NET Security, Design and Development.
-
Danny #1
can you prevent malicious use of browser back button in forms auth
Hi there,
Here is a scenario that I 've been asked to look into. Can anyone comment on this...
I have a Web App that uses forms authentication to secure sections. Say for example that a user is logged in and authenticated to use secure sections of site. User then proceeds to navigate to some site outside of the secure sections of the web app (could be any url) but forgets to log out then eventually gets up and walks away from their machine. Some other malicious user then comes along and presses the back button on their browser to see what forgetful user has been looking at.
I've been asked to somehow prevent that malicious user from being able to gain access to secure content if fogetful user didn't logout and the forms authentication timer on the auth cookie hasn't yet expired.
I'm really not sure if this is possible
Danny Guest
-
Browser Back button problem
Dear all I'm having a probelm concerning the security of my application. the problem is when a user is loggoed in and then he looged out i redirect... -
[PHP] back button and forms
GET method has restrictions -- you are only guaranteed proper handling of the first 1024 (or some such limit) after which the behaviour is... -
[PHP] back button and forms
session.cache_expire is what your looking for I believe http://www.php.net/manual/en/ref.session.php ----- Original Message ----- From:... -
prevent back in browser
For the whole appliation, how can I prevent the users from pressing back in the browser to go back to the previous page? Thanks -
Back button on the browser problem
Hi In my application I have a wizard and I have to make sure that user can't come back to previous page of the wizard. The problem is that is user... -
Wes Henderson #2 Re: can you prevent malicious use of browser back button in forms auth
Danny,
Try this in your Page_Load:
Response.Cache.SetCacheability(HttpCacheability.No Cache)
This will make it so that when they hit back, the pages aren't still there.
--
Regards,
Wes Henderson
In order to help everyone, please direct all replies to this newsgroup.
This posting is my personal effort to provide help and is not on behalf of
any company.
Also, this posting is provided "AS IS" with no expressed or implied
warranties.
"Danny" <Danny@discussions.microsoft.com> wrote in message
news:326E8C10-7B46-4D27-94F8-5A10465BBFEF@microsoft.com...on this...> Hi there,
>
> Here is a scenario that I 've been asked to look into. Can anyone commentfor example that a user is logged in and authenticated to use secure>
> I have a Web App that uses forms authentication to secure sections. Say
sections of site. User then proceeds to navigate to some site outside of the
secure sections of the web app (could be any url) but forgets to log out
then eventually gets up and walks away from their machine. Some other
malicious user then comes along and presses the back button on their browser
to see what forgetful user has been looking at.gain access to secure content if fogetful user didn't logout and the forms>
> I've been asked to somehow prevent that malicious user from being able to
authentication timer on the auth cookie hasn't yet expired.>
> I'm really not sure if this is possible
Wes Henderson Guest
-
Danny #3 Re: can you prevent malicious use of browser back button in forms
This does prevent cached pages from being viewed however it does not prevent the fact that a valid authentication cookie still exists on the client machine. Therefore, when the malicious user presses back, the secure pages are reloaded from the server using the forms authentication cookie that nice user accidently left lying around (without knowing it).
What I'm trying to ask here is how can you prevent a malicious user (inadvertently) making use of the forms authentication cookie that hasn't yet expired due to a timeout?
"Wes Henderson" wrote:
> Danny,
>
> Try this in your Page_Load:
> Response.Cache.SetCacheability(HttpCacheability.No Cache)
>
> This will make it so that when they hit back, the pages aren't still there.
>
> --
> Regards,
> Wes Henderson
>
> In order to help everyone, please direct all replies to this newsgroup.
> This posting is my personal effort to provide help and is not on behalf of
> any company.
> Also, this posting is provided "AS IS" with no expressed or implied
> warranties.
>
> "Danny" <Danny@discussions.microsoft.com> wrote in message
> news:326E8C10-7B46-4D27-94F8-5A10465BBFEF@microsoft.com...> on this...> > Hi there,
> >
> > Here is a scenario that I 've been asked to look into. Can anyone comment> for example that a user is logged in and authenticated to use secure> >
> > I have a Web App that uses forms authentication to secure sections. Say
> sections of site. User then proceeds to navigate to some site outside of the
> secure sections of the web app (could be any url) but forgets to log out
> then eventually gets up and walks away from their machine. Some other
> malicious user then comes along and presses the back button on their browser
> to see what forgetful user has been looking at.> gain access to secure content if fogetful user didn't logout and the forms> >
> > I've been asked to somehow prevent that malicious user from being able to
> authentication timer on the auth cookie hasn't yet expired.>> >
> > I'm really not sure if this is possible
>
>Danny Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
