• Post Reply Bookmark Topic Watch Topic
  • New Topic

Prevent replay attack after logout  RSS feed

 
Martin Lira
Ranch Hand
Posts: 97
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.

Thanks
ML
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Look into the post-redirect-get pattern.

It insures that there isn't a page rendered as a result of a POST.
There is an example in our FAQ:
Post Redirect Get
 
sudhir nim
Ranch Hand
Posts: 212
Eclipse IDE Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Martin Lira:
Hi,
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.

Thanks
ML


when user logsout, redirect him to some other page insted of forwarding request.
it should do the work.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!