If the question has turned into: "can you secure an application on the client side?" the answer is no. If a user has access to the security source code then a way can always be devised to crack it.
In my own investigation of this same topic I have concluded that the javascript cache clearing is an "iffy" solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is "off" in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow "one click" access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: "an internet browser in a multi user environment is not an ideal security arangement." Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 7777 >>> [EMAIL PROTECTED] 05/30/02 04:01PM >>> and then all someone has to do is use a program to spoof the referrer information and their in. The only thing that you as a web programmer can do without beating your head against the wall is to make sure you qualify all variables passed to the page, check them to make sure they are of the length and type you want and then have error checking to test the values. If you do that, then it doesn't matter where the information is coming. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -----Original Message----- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:54 PM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: <cfif cgi.HTTP_REFERER is 'my url'> Allow the template to process <cfelse> move them somewhere else either with cflocation or a script </cfif> Tim Heald ACP/CCFD :) Application Development www.schoollink.net > -----Original Message----- > From: Alex [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 30, 2002 3:18 PM > To: CF-Talk > Subject: Re: Re[2]: Preventing user from going back > > > Interesting point. I took it upon myself to test out your question and > found that you CAN go back. > > On Thu, 30 May 2002, Mario Martinez wrote: > > > What if I view the file source, erase all the java script code that is > > bothering me .Save the file into my local harddisk and run the > browser over > > it > > and try to going back??? . > > regards > > Mario > > ----- Original Message ----- > > From: "Critz" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Thursday, May 30, 2002 2:18 PM > > Subject: Re[2]: Preventing user from going back > > > > > > > oi Alex!! > > > > > > then you could always do this > > > > > > <noscript><meta refresh......></noscript> > > > > > > seeing as how most of us develop web applications and not > > websites....if > > > javascript is disabled, then they don't need to be there...... > > > > > > > > > -- > > > Critz > > > Certified Adv. ColdFusion Developer > > > > > > Crit[s2k] - <CF_ChannelOP Network="Efnet" Channel="ColdFusion"> > > > ------------------------------------ > > > Thursday, May 30, 2002, 2:07:05 PM, you wrote: > > > > > > A> What happens if I disable javascript? > > > > > > > > > A> On Thu, 30 May 2002, Critz wrote: > > > > > > >> oi Mark!! > > > >> > > > >> <SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"> > > > >> <!-- > > > >> window.history.forward(); > > > >> file://--> > > > >> </SCRIPT> > > > >> > > > >> on the preceding page.... > > > >> > > > >> -- > > > >> Critz > > > >> Certified Adv. ColdFusion Developer > > > >> > > > >> Crit[s2k] - <CF_ChannelOP Network="Efnet" Channel="ColdFusion"> > > > >> ------------------------------------ > > > >> Thursday, May 30, 2002, 1:19:09 PM, you wrote: > > > >> > > > >> MS> Hey all, > > > >> > > > >> MS> Does anyone have an easy way to prevent the user from > going back to > > the > > > >> MS> previous page? > > > >> > > > >> MS> -------------------------------------- > > > >> MS> Mark Smeets / stranger0 / ICQ: 1062196 > > > >> MS> [EMAIL PROTECTED] > > > >> MS> http://www.prowerks.com/stranger > > > >> > > > >> MS> "Life is a series of small victories" - Gene Simmons > > > >> > > > >> > > > >> MS> FAQ: http://www.thenetprofits.co.uk/coldfusion/faq > > > >> MS> Archives: > http://www.mail-archive.com/[email protected]/ > > > >> MS> Unsubscribe: > http://www.houseoffusion.com/index.cfm?sidebar=lists > > > >> > > > >> > > > A> > > > > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
