Prevent replay attack after logout
Martin Lira
Ranch Hand
Posts: 97
posted 10 years ago
Hi,
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.
Thanks
ML
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.
Thanks
ML
posted 10 years ago
Look into the post-redirect-get pattern.
It insures that there isn't a page rendered as a result of a POST.
There is an example in our FAQ:
Post Redirect Get
It insures that there isn't a page rendered as a result of a POST.
There is an example in our FAQ:
Post Redirect Get
posted 10 years ago
when user logsout, redirect him to some other page insted of forwarding request.
it should do the work.
Originally posted by Martin Lira:
Hi,
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.
Thanks
ML
when user logsout, redirect him to some other page insted of forwarding request.
it should do the work.
