• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How Bank sites Throw user to Session Expire Page by clicking on browser's refresh , back buttons

 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear All,

I got one task from my manager, regarding browser back button, refresh button. He asks me the web application has to work like Banks site... means if I refresh or click on Back button(Browser's) then it has to throw the user out of session, I checked lot in internet. But I found like only disabling back button of disabling F5 keys like that. But he’s not accepting that.

Can any one please suggest me how to approach for this? Can we throw the user out of session when he clicks on browser back button or refresh button.

I think its possible . But i don't know how to implement.

Please help me in this.


Thanks & Regards,
Udaya Prasad
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you mean after logout? My bank site doesn't "kick me out" whenever I refresh or use back when using the site. Please be clear on what you are trying to accomplish.
 
Ranch Hand
Posts: 859
IBM DB2 Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It does depend on the browser.

Some "back" buttons simply bring up a cached copy of the page without accessing the server.

Some "refresh" buttons do the same thing, unless you hold down shift or ctrl.


I have seen this done using javascript and ajax on each page, but it is complicated.


WP
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Thanks for Replying,

I tried a lot with JavaScript ,i think its almost impossible.. because there is no event to identifying browser's back or refresh buttons. And calling AJAX every time for checking user availability also not a good idea(More Hits for server).

Hi William ,
You said Some "back" buttons simply bring up a cached copy of the page without accessing the server

But most Bank site uses below kind of code definitely for cache,cookies removing.



Security Policy:

Same Origin Policy:

Is there any policy kind of settings between browser and web application. i heard one policy like "same origin policy" for security settings..
See if we are using any bank sites for first time in the freshly installed Google chrome browser. It will show like “Your browser settings are changed for this site…” like that for first time use.

Please help me in this...


 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Bear Bibeault sir,

My problem is not for after logout. My problem is for user within the session and working with site, unfortunately clicking on refresh or back button. it send him to out of session.

There are some sites which works on the same.



Thanks & Regards,

Udaya Prasad




 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How unfriendly. What is the rationale behind this weird and hostile behavior?
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Step 1: Try to convince the requestor he/she doesn't really want this. It's horrible usability.

If you absolutely must do this, the things to think about are disallowing caching and using a unique token per page. All links and forms on the page get that token. Only requests with that token are accepted.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sir Please Help me
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Huh? It's not you that's unfriendly, it's this "feature" you are asking about. It's horrible! Why would you kick a user out of the system because they refreshed or hit the back button?
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear Bear Bibeault sir,

In all Indian Bank Sites, they are fallowing same scenario. I don't know exactly ...But due to security reasons only they are doing like that.. My manager telling it good to implement to provide more security to our site.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jeanne Boyarsky,

Using Token Validation how can we approach. Means.. is there any thing to identify browser refresh button event.
Can you please explain more...
 
Ranch Hand
Posts: 924
1
Netbeans IDE Fedora Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

udaya prasad vakalapudi wrote:Dear All,

I got one task from my manager, regarding browser back button, refresh button. He asks me the web application has to work like Banks site... means if I refresh or click on Back button(Browser's) then it has to throw the user out of session, I checked lot in internet. But I found like only disabling back button of disabling F5 keys like that. But he’s not accepting that.

Can any one please suggest me how to approach for this? Can we throw the user out of session when he clicks on browser back button or refresh button.

I think its possible . But i don't know how to implement.

Please help me in this.


Thanks & Regards,
Udaya Prasad



Might be not an answer but i have not seen any indian bank site throwing user out of the session when he refereshes the page or press back button. I did with the corresponding netbanking application of my concerned bank site and it did not throw me out of the session. and like others said this really is a very annoying behaviour.
 
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi, I think when user click on refresh or back button and that time its session is expired then only that time it should go on session expired.for security purpose you can disable back button.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

If you take ICICI bank or Axis Bank, Or take the India's Most Wanted site www.irctc.co.in
All these sites are working on the same scenario. After successful login.. if user clicks on browser's back or refresh buttons. it throws user to Session expire page.
 
Ranch Hand
Posts: 5575
Eclipse IDE Windows XP Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

udaya prasad vakalapudi wrote:
In all Indian Bank Sites, they are fallowing same scenario. I don't know exactly ...But due to security reasons only they are doing like that.. My manager telling it good to implement to provide more security to our site.


Well, read this FAQ .
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Seetharaman,

I'm not clear about Duplicate form submission will works for throwing user from out of session. Because Mostly the form submission(Taking Inputs from User) in Banks sites are takes place at the time of transfer funds only. But i want to throw user at any time in the session to Session expire Page if he/she clicks on Browser's refresh button. So then, PRG will not takes place here.Every one implement PRG at the time of user taking inputs and getting results at the same time, nothing any where. But in Banks sites mostly User will give inputs at the time of Fund Transfer only Rest of places i don't think , they will use PRG.

Moreover we are using Struts saveToken(), IsTokenValid() for avoiding Duplicate Form Submissions.

Any Suggestion from You. Please help me if you done these kind of things earlier.
 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

udaya prasad vakalapudi wrote:Hi Jeanne Boyarsky,

Using Token Validation how can we approach. Means.. is there any thing to identify browser refresh button event.
Can you please explain more...


It isn't about identifying the refresh button specifically. It is about identifying any non-linear pattern. It could be a user typing in a URL directly or the like.

Pattern for each request (probably in a filter)
- if not first visit, check submitted token matches current one
- generate a new random token
- edit the html page to add that token to every link/form (which is why I recommend filter)

Incidentally, my US bank does allow use of the bank and refresh buttons.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jeanne Boyarsky,

I got your logic, But, I'm getting some what confusion to implement.
In Filter class i written the fallowing code

In this dofiltermethod I'm getting confusing that how to use if condition to check submitted token matches current one.

How to add Token to every JSP
i Just Trying to compare every JSP like in below. But, Not working.



one more... <filter-mapping> tag works for request going to server only... means(in our case only error handling with refresh button may work), for back and forward button it will not work.




Can you please elaborate some what ....
 
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the past days, I worked on same task , here following article helps to you solving problem

http://www.javaworld.com/javaworld/jw-09-2004/jw-0927-logout.html

 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Umamahesh,

Well, but i don't want logout problem. My question was entirely different ....

He asks me the web application has to work like Banks site... means if I refresh or click on Back button(Browser's) then it has to throw the user out of session, I checked lot in internet. But I found like only disabling back button of disabling F5 keys like that. But he’s not accepting that.

 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jeanne Boyarsky,

i had done this in the way you said.

Thanks Jeanne.
 
Greenhorn
Posts: 1
Oracle Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Udaya prasad,

I would like to implement the same functionality in one of secure application.
Can you please explain the solution you get..

Thanks in advance!!
 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello udaya prasad vakalapudi  

I need to implement similar kind of Logic so could you please explain how you done and better if you post the code snippet


Thanks in advance.
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jeanne Boyarsky wrote:

udaya prasad vakalapudi wrote:Hi Jeanne Boyarsky,

   Using Token Validation how can we approach.  Means.. is there any thing to identify browser refresh button event.
 Can you please explain more...


It isn't about identifying the refresh button specifically.  It is about identifying any non-linear pattern.  It could be a user typing in a URL directly or the like.

Pattern for each request (probably in a filter)
- if not first visit, check submitted token matches current one
- generate a new random token
- edit the html page to add that token to every link/form (which is why I recommend filter)

Incidentally, my US bank does allow use of the bank and refresh buttons.



Hi Jeanne Boyarsky,

Could you please clarify this flow to me?

1) User types the url in browser.
2) First Request is received in filter. Inside the filter, we check the attribute "requestToken" in HttpServletRequest. Since this is first request, this will be null So, we generate a new random token and set the attribute "sessionToken" in Session object.
3) When the JSP is loaded, we get the "sessionToken" and set it in "requestToken"
4) When 2nd(or any subsequent) request is sent from JSP, the "requestToken" is appended to Request as a parameter (request token is appended when use refreshes the page also?? This is confusing :( )
5) Request is received in filter. Filter compares the "requestToken" sent along with request and compares it with "sessionToken". If it is same, then we generate a new random token and set the attribute "sessionToken" in Session object again.

I am a bit confused with above flow. if we get the "requestToken" in JSP always via session and sent it along with request as a parameter, then it will always work, right? How will it fail when we reload the page or open the URl in a different browser tab? Please suggest the changes I need to make in my flow.

Another question: Do we do any comparison inside JSP's or generate tokens on JSp load too?
 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Aman,
You need to generate a new token and put it in the session each time the user accesses a page. And have the filter reject any requests that don't have the latest token. For example:

1) New user; first request - generate token ABC4 and put it in session attribute
2) Render JSP with ABC4 parameter on all links
3) User hits one of the links which has ABC4
4) In filter, check parameter matches ABC4
5) Generate new token TFE99.
6) Render JSP with TFE99 parameter on all links
7) User hits back which has ABC4 on the link
8) In filter, reject because parameter does not match TFE99
 
reply
    Bookmark Topic Watch Topic
  • New Topic