Re: [Phplib-users] browser back button sneaks
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] browser back button sneaks
|
From: Richard A. <rh...@ju...> - 2002-10-05 02:36:01
|
At 19:20 +0200 4/10/02, Giancarlo wrote: >Did anyone notice that it is possible to sneak back from an authenticated but >expired page, with the browser back button, until we reach the submission of >the login POST data, hit reload and re-get authed without retipying >username/pass? >Do you know anything that can cure this? You could add a field containing a unique authentication token to the form. Once this token has been used once, invalidate it on the server. That way even if a username and password are re-POSTed, the token will be invalid and the auth will fail. Of course the username and pass must still be stored in memory on that computer somewhere, so if a wily hacker has access to the computer, well... ...R. |
