Re: General Security Discussion.

Sun, 09 Jan 2005 14:42:20 -0800 

Why not just tell the browser not to cache the pages and alwasy
checked that they are logged in... or am I missing something?

JSP code (should be easy to translate):
<%
        // Set to expire far in the past.
        response.setHeader("Expires", "Sun, 7 May 1995 12:00:00 GMT");

        // Set standard HTTP/1.1 no-cache headers.
        response.setHeader("Cache-Control", "no-store, no-cache,
must-revalidate");

        // Set IE extended HTTP/1.1 no-cache headers (use addHeader).
        response.addHeader("Cache-Control", "post-check=0, pre-check=0");

        // Set standard HTTP/1.0 no-cache header.
        response.setHeader("Pragma", "no-cache");
%>



On Mon, 10 Jan 2005 09:14:35 +1100, Chris Jensen <[EMAIL PROTECTED]> wrote:
> > Plus:
> > After you log a user out of an site, in the application.cfm file clear 
> > their CFID, CFTOKEN, JSESSIONID, and session, then do a cflocate to the 
> > index page of the site and that *should* prevent the back-button from 
> > letting anyone view secure pages (if you have everything else setup right).
> 
> I don't think this won't completely eliminate the back problem. In most
> browsers, the user can click on an arrow or something on the back button
> to get a history and jump back to any page in the history.
> You can also sometimes get around this by just hitting back twice
> quickly in succession.
> 
> The best way around this is to close the browser window, if it's
> intranet you could try just making it policy that uisers close after
> logging out, or if that doesn't take off, use java script to forcibly
> close the window. (This seems to be how most internet banking sites deal
> with the issue)

-- 
~Blog~
http://www.robrohan.com
~The cfml plug-in for eclipse~
http://cfeclipse.tigris.org
~open source xslt IDE~
http://treebeard.sourceforge.net

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
This list and all House of Fusion resources hosted by CFHosting.com. The place 
for dependable ColdFusion Hosting.
http://www.houseoffusion.com/banners/view.cfm?bannerid=11

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:189764
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to