Re: A question about web security mechanism

From: Barry Margolin (barmar@genuity.net)
Date: 05/24/02


From: Barry Margolin <barmar@genuity.net>
Date: Fri, 24 May 2002 18:55:19 GMT

In article <acm0t1$fsh$1@solaria.cc.gatech.edu>,
Chenghuai Lu <lulu@cc.gatech.edu> wrote:
>After I logged into my discover card account, I click refresh bottom in my
>browser. My web brower show the dialog that "The page cannot be refreshed
>without resending the information. Click Retry to send the information
>again, or click Cancel to return to the page that you were trying to view.".
>If I choose Retry, my information is sent and the page is reloaded. While
>for cancel, the page cannot be reloaded.
>
>My question is, what is the mechanism this website use for security? what
>kind of information is re-sent? I assume that this is different from use of
>session cookie since browser won't popup the dialog box when I refresh the
>page in my yahoo mail account.

The "Refresh" command works by simply sending the same thing that the
browser previously sent. If the page you're viewing is the result of
filling out a form, it has to send the same data that it sent when you
filled the form previously.

The warning isn't coming from the site, it's an automatic warning that the
browser produces whenever you ask to refresh a page that came from filling
out a form. The reason for the warning is that there might be problems if
the form told the web site to perform some action, like submitting a
purchase; if you do it twice, you might end up buying the same item again.
Some web sites may make use of cookies or other mechanisms to prevent being
fooled like this, but the browser has no way of knowing, so it takes the
cautious route and warns you.

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.