• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Paul Clapham
  • Rob Spoor
  • Junilu Lacar
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Carey Brown
Bartenders:

Logout a user if he/she browses to another website on the same tab.

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello All,

I have a client requirement which am finding hard to resolve. I've done searches on the net but did not find any concrete solution. The requirement goes as such:
The application is built on Spring MVC 3. When the user has logged in and using the application, and the user switches to another website like Google.com then presses the back button of the browser (ie user now accesses the application) the user should be logged out. Can anyone please advise how this requirement can be achieved.

Till now I have tried to use a filter but am unable to get the previous URL (here google.com)

Thanks in advance for any advice


Regards,
Neerou
 
Sheriff
Posts: 27527
88
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just as well you can't get the URL of the previous page the user looked at, chances are that would be a security flaw. It's at least a privacy violation.

I'm curious about why that is a requirement at all. Why is it your application's business if the user decides to look at another site?
 
Neerou Basdeo
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The application am working on handles sensitive data. So the client does not want sensitive data to be available in case the a user does not log out of the application and starts navigating elsewhere. Is it a worth requirement?
 
Saloon Keeper
Posts: 14678
330
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It sounds like your clients don't know enough about security to make a requirement like this. Ask them why they think they need this. Let them draw up a detailed situation where they think sensitive data may be leaked.
 
Paul Clapham
Sheriff
Posts: 27527
88
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Perhaps the scenario is this:

1. Authorized person uses the app

2. Authorized person goes to some other site (in the same tab)

3. Authorized person leaves the computer unattended

4. Unauthorized person arrives and presses back button, sees the app

5. Unauthorized person uses the app

But then there's this scenario:

1. Authorized person uses the app

2. Authorized person leaves the computer unattended

3. Unauthorized person arrives

4. Unauthorized person uses the app

There isn't a technical fix to prevent that scenario from occurring, and yet it's much more likely than the first.
 
Bartender
Posts: 7488
171
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Companies where people leave their desk without locking their computer have a problem, in my opinion. Lots of environments actually require people to do that, by law.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic