Forum:

Prevent replay attack after logout

Ranch Hand

Posts: 97

posted 17 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Hi,
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.

Thanks
ML

Ben Souther

Sheriff

Posts: 13411

I like...

posted 17 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Look into the post-redirect-get pattern.

It insures that there isn't a page rendered as a result of a POST.
There is an example in our FAQ:
Post Redirect Get

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf

sudhir nim

Ranch Hand

Posts: 212

I like...

posted 17 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Originally posted by Martin Lira:
Hi,
I am trying to prevent replay attack in my web application. Here is problem, user logs out from session on shared computer but leaves browser open. Hacker clicks back on browser and hits refresh button. As a result, the authentication credentials are re-submitted and hacker is logged in. Is there anything in J2EE security that can prevent this from happening.

Thanks
ML

when user logsout, redirect him to some other page insted of forwarding request.
it should do the work.

[Servlet tutorial] [Servlet 3.0 Cook Book]

Did you see how Paul cut 87% off of his electric heat bill with 82 watts of micro heaters?