RE: Re[2]: Preventing user from going back
If the question has turned into: can you secure an application on the client side? the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an iffy solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is off in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow one click access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: an internet browser in a multi user environment is not an ideal security arangement. Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x [EMAIL PROTECTED] 05/30/02 04:01PM and then all someone has to do is use a program to spoof the referrer information and their in. The only thing that you as a web programmer can do without beating your head against the wall is to make sure you qualify all variables passed to the page, check them to make sure they are of the length and type you want and then have error checking to test the values. If you do that, then it doesn't matter where the information is coming. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:54 PM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: cfif cgi.HTTP_REFERER is 'my url' Allow the template to process cfelse move them somewhere else either with cflocation or a script /cfif Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:18 PM To: CF-Talk Subject: Re: Re[2]: Preventing user from going back Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote
RE: Re[2]: Preventing user from going back
What I've done to try to prevent this is use CFHEADER to tell the browser not to cache. I made the following code into a Custom Tag and call it from my app_layout.cfm (Fusebox). This should force each page to reload from the server. If you are checking for a valid login with each page load, you will catch those trying to view a page but who are not logged in. I'm not sure how many browsers support this, but I think it's safe to assume versions 4+ of IE and NS should work. Anyone on the list have better info on these headers? I admit I haven't tested this code thoroughly and compared browsers. For my purposes, I just want to do all I can to prevent the problem but it's no security problem if it doesn't work consistently. Also, I believe that IE and NS had a slightly different way of handling the Last-Modified header and the CFSCRIPT code is supposed to handle this--I think (I found this code somewhere and don't recall all the details). Maybe this is worth a look? Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com CFSCRIPT GMT = GetTimeZoneInfo(); GMT = GMT.UTCHourOffset; if (GMT IS 0) GMT = ''; else if (GMT GT 0) GMT = + GMT; /CFSCRIPT CFHEADER NAME=Pragma VALUE=no-cache CFHEADER NAME=Cache-Control VALUE=no-cache, must-revalidate CFHEADER NAME=Last-Modified VALUE=#DateFormat(Now(),'ddd, dd mmm ')# #TimeFormat(Now(),'HH:mm:ss')# GMT#GMT# CFHEADER NAME=Expires VALUE=Mon, 26 Jul 1997 05:00:00 GMT -Original Message- From: Rick Walters [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:22 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back If the question has turned into: can you secure an application on the client side? the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an iffy solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is off in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow one click access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: an internet browser in a multi user environment is not an ideal security arangement. Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: Preventing user from going back
I forgot to mention that the code needs to go before any HTML code, including !DOCTYPE tags. Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com -Original Message- From: Chris Lofback [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:50 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back What I've done to try to prevent this is use CFHEADER to tell the browser not to cache. I made the following code into a Custom Tag and call it from my app_layout.cfm (Fusebox). This should force each page to reload from the server. If you are checking for a valid login with each page load, you will catch those trying to view a page but who are not logged in. I'm not sure how many browsers support this, but I think it's safe to assume versions 4+ of IE and NS should work. Anyone on the list have better info on these headers? I admit I haven't tested this code thoroughly and compared browsers. For my purposes, I just want to do all I can to prevent the problem but it's no security problem if it doesn't work consistently. Also, I believe that IE and NS had a slightly different way of handling the Last-Modified header and the CFSCRIPT code is supposed to handle this--I think (I found this code somewhere and don't recall all the details). Maybe this is worth a look? Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com CFSCRIPT GMT = GetTimeZoneInfo(); GMT = GMT.UTCHourOffset; if (GMT IS 0) GMT = ''; else if (GMT GT 0) GMT = + GMT; /CFSCRIPT CFHEADER NAME=Pragma VALUE=no-cache CFHEADER NAME=Cache-Control VALUE=no-cache, must-revalidate CFHEADER NAME=Last-Modified VALUE=#DateFormat(Now(),'ddd, dd mmm ')# #TimeFormat(Now(),'HH:mm:ss')# GMT#GMT# CFHEADER NAME=Expires VALUE=Mon, 26 Jul 1997 05:00:00 GMT -Original Message- From: Rick Walters [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 10:22 AM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back If the question has turned into: can you secure an application on the client side? the answer is no. If a user has access to the security source code then a way can always be devised to crack it. In my own investigation of this same topic I have concluded that the javascript cache clearing is an iffy solution at best. The problem my own group has involves multiple people with different access permissions using the same public workstation to access patient records. If a medical director logs into our reporting site and views a patient and then logs off, what is to prevent an intern from using the back button to view the samed cached report? Javascript can clear the cache, remove the back button, or force a reload of the page to check permissions. But if javascript is off in the browser, then there is nothing to prevent this. A half-way solution we have yet to implement would be to check and see if javascipt is enabled to complete the login process and then have javascript close the browser window on logout. Placing an icon to the site on the desktop would allow one click access to return to login. But, again, this can be sidestepped. So ultimately the real security will take place in training. In training the doctors, we stress the importance of closing the window after they access patient records. And as backup to this, we keep a server side timestamp of their login purposefully very short to ensure with reasonable accuracy that even if they walk away from the workstation logged in, that trying to continue will re-require login to continue. But if they leave the browser open and javascript is not enabled, then the history is open for back browsing. Unfortunately, in the end we must conclude the obvious: an internet browser in a multi user environment is not an ideal security arangement. Lucky for us, we also have in house applications that access patient records locally and which are far more secure. Further, the pc's themselves are in a secure environment or in clear view of staff. Good Fortune, Richard Walters, Internet Application Designer, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: Preventing user from going back
What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: Preventing user from going back
One could do what ifs all day long, if you need to worry about someone going through all that much trouble, then perhaps you should just not put the information on the web in the first place. Heck, you asked for a easy way and are coming up with complicated ways they can get past that. -- Original Message -- From: Mario Martinez [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 30 May 2002 14:38:07 -0400 What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario -- Snipe - CF_BotMaster Network=EFNet Channel=ColdFusion -- __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: Preventing user from going back
Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: Preventing user from going back
The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: cfif cgi.HTTP_REFERER is 'my url' Allow the template to process cfelse move them somewhere else either with cflocation or a script /cfif Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:18 PM To: CF-Talk Subject: Re: Re[2]: Preventing user from going back Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: Preventing user from going back
and then all someone has to do is use a program to spoof the referrer information and their in. The only thing that you as a web programmer can do without beating your head against the wall is to make sure you qualify all variables passed to the page, check them to make sure they are of the length and type you want and then have error checking to test the values. If you do that, then it doesn't matter where the information is coming. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:54 PM To: CF-Talk Subject: RE: Re[2]: Preventing user from going back The only way I have seen to do this, and it was mentioned by someone earlier, is to only allow for a specific referer. You would use the url to the page that the user 'should' be coming from like this: cfif cgi.HTTP_REFERER is 'my url' Allow the template to process cfelse move them somewhere else either with cflocation or a script /cfif Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 3:18 PM To: CF-Talk Subject: Re: Re[2]: Preventing user from going back Interesting point. I took it upon myself to test out your question and found that you CAN go back. On Thu, 30 May 2002, Mario Martinez wrote: What if I view the file source, erase all the java script code that is bothering me .Save the file into my local harddisk and run the browser over it and try to going back??? . regards Mario - Original Message - From: Critz [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, May 30, 2002 2:18 PM Subject: Re[2]: Preventing user from going back oi Alex!! then you could always do this noscriptmeta refresh../noscript seeing as how most of us develop web applications and not websitesif javascript is disabled, then they don't need to be there.. -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 2:07:05 PM, you wrote: A What happens if I disable javascript? A On Thu, 30 May 2002, Critz wrote: oi Mark!! SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- window.history.forward(); file://-- /SCRIPT on the preceding page -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Thursday, May 30, 2002, 1:19:09 PM, you wrote: MS Hey all, MS Does anyone have an easy way to prevent the user from going back to the MS previous page? MS -- MS Mark Smeets / stranger0 / ICQ: 1062196 MS [EMAIL PROTECTED] MS http://www.prowerks.com/stranger MS Life is a series of small victories - Gene Simmons MS FAQ: http://www.thenetprofits.co.uk/coldfusion/faq MS Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ MS Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists A __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists