Re: can you prevent malicious use of browser back button in forms

From: Danny (Danny_at_discussions.microsoft.com)
Date: 07/05/04

  • Next message: Ken Schaefer: "Re: Integrated security in ASP.net" 
    Date: Sun, 4 Jul 2004 20:34:02 -0700

    This does prevent cached pages from being viewed however it does not prevent the fact that a valid authentication cookie still exists on the client machine. Therefore, when the malicious user presses back, the secure pages are reloaded from the server using the forms authentication cookie that nice user accidently left lying around (without knowing it).

    What I'm trying to ask here is how can you prevent a malicious user (inadvertently) making use of the forms authentication cookie that hasn't yet expired due to a timeout?

    "Wes Henderson" wrote:

    > Danny,
    >
    > Try this in your Page_Load:
    > Response.Cache.SetCacheability(HttpCacheability.NoCache)
    >
    > This will make it so that when they hit back, the pages aren't still there.
    >
    > --
    > Regards,
    > Wes Henderson
    >
    > In order to help everyone, please direct all replies to this newsgroup.
    > This posting is my personal effort to provide help and is not on behalf of
    > any company.
    > Also, this posting is provided "AS IS" with no expressed or implied
    > warranties.
    >
    > "Danny" <Danny@discussions.microsoft.com> wrote in message
    > news:326E8C10-7B46-4D27-94F8-5A10465BBFEF@microsoft.com...
    > > Hi there,
    > >
    > > Here is a scenario that I 've been asked to look into. Can anyone comment
    > on this...
    > >
    > > I have a Web App that uses forms authentication to secure sections. Say
    > for example that a user is logged in and authenticated to use secure
    > sections of site. User then proceeds to navigate to some site outside of the
    > secure sections of the web app (could be any url) but forgets to log out
    > then eventually gets up and walks away from their machine. Some other
    > malicious user then comes along and presses the back button on their browser
    > to see what forgetful user has been looking at.
    > >
    > > I've been asked to somehow prevent that malicious user from being able to
    > gain access to secure content if fogetful user didn't logout and the forms
    > authentication timer on the auth cookie hasn't yet expired.
    > >
    > > I'm really not sure if this is possible
    >
    >
    >

  • Next message: Ken Schaefer: "Re: Integrated security in ASP.net"