Just a feedback... No, it doesn't work.
The page 1 which sends the password is cached, but when returning from page 3 to the page 2, even though it tells me that the page has expired, if I press the refresh button, it is printed fine. And it prints the new modified version from the server, meaning that the password and username are sent from the cache of the first page. It might be another security problem of Internet Explorer. Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Geraint Jones" <[EMAIL PROTECTED]> To: "Octavian Rasnita" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, October 29, 2002 12:01 PM Subject: Re: A security problem On Friday 25 October 2002 9:51 am, Octavian Rasnita wrote: > Hi all, > > I've made a script that displays 2 forms one after another, then the result > page. > It works like a Wizard from Windows. > > In the first page, I print a form for getting the username and the > password, and if these are good, the script prints the second form with > some private data. > After submitting the second form, the script prints the result page. > > If the browser is not closed, and another visitor presses the back button > of the browser, they see the private data. > > I put the following header in that second page: > print $q -> header(-expires => 'now', '-Cache-Control' => 'no-cache'); > > After this, if the visitors go back to view the second page, the browser > tells that the page expired, but if the visitors refresh the page, they can > see the private data from the second form. > > > I guess the username and the password are sent again from the first form. > > How can I stop this? > > I also tried to put that header for not caching the first page, but ... > same results. > > If I try to view the first page by pressing the back button one more time, > the username is not displayed, but if I just refresh the second page, the > username and password are sent. > > In the first page I use the post method in the form. > > Thank you. > > > > Teddy's Center: http://teddy.fcc.ro/ > Email: [EMAIL PROTECTED] Try: print $q->header(-pragma=>'no-cache'); Your document will still be cached, but the web cache will check to see if there's a newer version first, and if not, show the stored document. Apparently, there's more info about pragmas at www.w3.org, specifically RFC2616 (ftp://ftp.isi.edu/in-notes/rfc2616.txt). I haven't been able to prove this though since the Network Officer where I work has disabled FTP on the proxy :-( Disclaimer: I haven't tested this out myself, so if it doesn't work - don't blame me! I'm just regurgitating what I've read in a couple of really good books. -- Geraint Jones -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
