Win a copy of Mastering Non-Functional Requirements this week in the Design forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How Bank sites Throw user to Session Expire Page by clicking on browser's refresh , back buttons  RSS feed

 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,

I got one task from my manager, regarding browser back button, refresh button. He asks me the web application has to work like Banks site... means if I refresh or click on Back button(Browser's) then it has to throw the user out of session, I checked lot in internet. But I found like only disabling back button of disabling F5 keys like that. But he’s not accepting that.

Can any one please suggest me how to approach for this? Can we throw the user out of session when he clicks on browser back button or refresh button.

I think its possible . But i don't know how to implement.

Please help me in this.


Thanks & Regards,
Udaya Prasad
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65960
139
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do you mean after logout? My bank site doesn't "kick me out" whenever I refresh or use back when using the site. Please be clear on what you are trying to accomplish.
 
William P O'Sullivan
Ranch Hand
Posts: 859
Chrome IBM DB2 Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It does depend on the browser.

Some "back" buttons simply bring up a cached copy of the page without accessing the server.

Some "refresh" buttons do the same thing, unless you hold down shift or ctrl.


I have seen this done using javascript and ajax on each page, but it is complicated.


WP
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Thanks for Replying,

I tried a lot with JavaScript ,i think its almost impossible.. because there is no event to identifying browser's back or refresh buttons. And calling AJAX every time for checking user availability also not a good idea(More Hits for server).

Hi William ,
You said Some "back" buttons simply bring up a cached copy of the page without accessing the server

But most Bank site uses below kind of code definitely for cache,cookies removing.



Security Policy:

Same Origin Policy:

Is there any policy kind of settings between browser and web application. i heard one policy like "same origin policy" for security settings..
See if we are using any bank sites for first time in the freshly installed Google chrome browser. It will show like “Your browser settings are changed for this site…” like that for first time use.

Please help me in this...


 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bear Bibeault sir,

My problem is not for after logout. My problem is for user within the session and working with site, unfortunately clicking on refresh or back button. it send him to out of session.

There are some sites which works on the same.



Thanks & Regards,

Udaya Prasad




 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65960
139
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How unfriendly. What is the rationale behind this weird and hostile behavior?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 36818
481
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Step 1: Try to convince the requestor he/she doesn't really want this. It's horrible usability.

If you absolutely must do this, the things to think about are disallowing caching and using a unique token per page. All links and forms on the page get that token. Only requests with that token are accepted.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Sir Please Help me
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65960
139
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Huh? It's not you that's unfriendly, it's this "feature" you are asking about. It's horrible! Why would you kick a user out of the system because they refreshed or hit the back button?
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear Bear Bibeault sir,

In all Indian Bank Sites, they are fallowing same scenario. I don't know exactly ...But due to security reasons only they are doing like that.. My manager telling it good to implement to provide more security to our site.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jeanne Boyarsky,

Using Token Validation how can we approach. Means.. is there any thing to identify browser refresh button event.
Can you please explain more...
 
gurpeet singh
Ranch Hand
Posts: 924
1
Fedora Java Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
udaya prasad vakalapudi wrote:Dear All,

I got one task from my manager, regarding browser back button, refresh button. He asks me the web application has to work like Banks site... means if I refresh or click on Back button(Browser's) then it has to throw the user out of session, I checked lot in internet. But I found like only disabling back button of disabling F5 keys like that. But he’s not accepting that.

Can any one please suggest me how to approach for this? Can we throw the user out of session when he clicks on browser back button or refresh button.

I think its possible . But i don't know how to implement.

Please help me in this.


Thanks & Regards,
Udaya Prasad


Might be not an answer but i have not seen any indian bank site throwing user out of the session when he refereshes the page or press back button. I did with the corresponding netbanking application of my concerned bank site and it did not throw me out of the session. and like others said this really is a very annoying behaviour.
 
Habeeb Shaikh
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi, I think when user click on refresh or back button and that time its session is expired then only that time it should go on session expired.for security purpose you can disable back button.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

If you take ICICI bank or Axis Bank, Or take the India's Most Wanted site www.irctc.co.in
All these sites are working on the same scenario. After successful login.. if user clicks on browser's back or refresh buttons. it throws user to Session expire page.
 
Seetharaman Venkatasamy
Ranch Hand
Posts: 5575
Eclipse IDE Java Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
udaya prasad vakalapudi wrote:
In all Indian Bank Sites, they are fallowing same scenario. I don't know exactly ...But due to security reasons only they are doing like that.. My manager telling it good to implement to provide more security to our site.

Well, read this FAQ .
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Seetharaman,

I'm not clear about Duplicate form submission will works for throwing user from out of session. Because Mostly the form submission(Taking Inputs from User) in Banks sites are takes place at the time of transfer funds only. But i want to throw user at any time in the session to Session expire Page if he/she clicks on Browser's refresh button. So then, PRG will not takes place here.Every one implement PRG at the time of user taking inputs and getting results at the same time, nothing any where. But in Banks sites mostly User will give inputs at the time of Fund Transfer only Rest of places i don't think , they will use PRG.

Moreover we are using Struts saveToken(), IsTokenValid() for avoiding Duplicate Form Submissions.

Any Suggestion from You. Please help me if you done these kind of things earlier.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 36818
481
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
udaya prasad vakalapudi wrote:Hi Jeanne Boyarsky,

Using Token Validation how can we approach. Means.. is there any thing to identify browser refresh button event.
Can you please explain more...

It isn't about identifying the refresh button specifically. It is about identifying any non-linear pattern. It could be a user typing in a URL directly or the like.

Pattern for each request (probably in a filter)
- if not first visit, check submitted token matches current one
- generate a new random token
- edit the html page to add that token to every link/form (which is why I recommend filter)

Incidentally, my US bank does allow use of the bank and refresh buttons.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jeanne Boyarsky,

I got your logic, But, I'm getting some what confusion to implement.
In Filter class i written the fallowing code

In this dofiltermethod I'm getting confusing that how to use if condition to check submitted token matches current one.

How to add Token to every JSP
i Just Trying to compare every JSP like in below. But, Not working.



one more... <filter-mapping> tag works for request going to server only... means(in our case only error handling with refresh button may work), for back and forward button it will not work.




Can you please elaborate some what ....
 
Pyla Rao
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the past days, I worked on same task , here following article helps to you solving problem

http://www.javaworld.com/javaworld/jw-09-2004/jw-0927-logout.html

 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Umamahesh,

Well, but i don't want logout problem. My question was entirely different ....
He asks me the web application has to work like Banks site... means if I refresh or click on Back button(Browser's) then it has to throw the user out of session, I checked lot in internet. But I found like only disabling back button of disabling F5 keys like that. But he’s not accepting that.
 
udaya prasad vakalapudi
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jeanne Boyarsky,

i had done this in the way you said.

Thanks Jeanne.
 
mallikarjuna Gongati
Greenhorn
Posts: 1
Java Linux Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Udaya prasad,

I would like to implement the same functionality in one of secure application.
Can you please explain the solution you get..

Thanks in advance!!
 
SraJaSpring Kumar
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello udaya prasad vakalapudi 

I need to implement similar kind of Logic so could you please explain how you done and better if you post the code snippet


Thanks in advance.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!