I have a few ideas that may help:
Try making it so when page one loads the password form to fill out, it includes a 'hidden' input type with a token value. (For this situation, it won't matter that it is not really hidden when users view the HTML source if your worried about that.) What it would do is when the user presses 'send', it will send the username, password, and token to the server. The server can store and view the 'last token used.' If the token is the last token to be used for that username and password, it can report to the user that the private cannot be shown in a re-post. If the user reloads the form page (page one) it will generate a new token from the server while wiping out the form's data (username and password) in the browser. Then, when the user presses Submit, it will send a new token, let the server see it is not the last token used, and allow the transaction, updating the last token recorded on the server, and then showing the private data. --- A completely different way is to use javascript, where you have a page zero before page one. On page zero, you write a little javascript that just checks if there are three pages ahead of this page in the javascript History object. The first time, this is False, so it won't trigger anything. On page three, set the history object to back up three places, which will cause that page to open agian. Back at page zero, the javascript there runs again, checks if the History object has three pages ahead, sees this is True, and triggers a opening of another page, like a confirmation page. Opening this other page will automatically cause the browser to store it in the history slot just after page zero, eliminating pages 1, 2 and 3 in the history list. At that point, the back button will only go back to page zero, or forward to the newly loaded page. Hope that helps! -----Original Message----- From: Octavian Rasnita [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 30, 2002 11:19 PM To: Geraint Jones; [EMAIL PROTECTED] Subject: Re: A security problem Just a feedback... No, it doesn't work. The page 1 which sends the password is cached, but when returning from page 3 to the page 2, even though it tells me that the page has expired, if I press the refresh button, it is printed fine. And it prints the new modified version from the server, meaning that the password and username are sent from the cache of the first page. It might be another security problem of Internet Explorer. Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Geraint Jones" <[EMAIL PROTECTED]> To: "Octavian Rasnita" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, October 29, 2002 12:01 PM Subject: Re: A security problem On Friday 25 October 2002 9:51 am, Octavian Rasnita wrote: > Hi all, > > I've made a script that displays 2 forms one after another, then the result > page. > It works like a Wizard from Windows. > > In the first page, I print a form for getting the username and the > password, and if these are good, the script prints the second form with > some private data. > After submitting the second form, the script prints the result page. > > If the browser is not closed, and another visitor presses the back button > of the browser, they see the private data. > > I put the following header in that second page: > print $q -> header(-expires => 'now', '-Cache-Control' => 'no-cache'); > > After this, if the visitors go back to view the second page, the browser > tells that the page expired, but if the visitors refresh the page, they can > see the private data from the second form. > > > I guess the username and the password are sent again from the first form. > > How can I stop this? > > I also tried to put that header for not caching the first page, but ... > same results. > > If I try to view the first page by pressing the back button one more time, > the username is not displayed, but if I just refresh the second page, the > username and password are sent. > > In the first page I use the post method in the form. > > Thank you. > > > > Teddy's Center: http://teddy.fcc.ro/ > Email: [EMAIL PROTECTED] Try: print $q->header(-pragma=>'no-cache'); Your document will still be cached, but the web cache will check to see if there's a newer version first, and if not, show the stored document. Apparently, there's more info about pragmas at www.w3.org, specifically RFC2616 (ftp://ftp.isi.edu/in-notes/rfc2616.txt). I haven't been able to prove this though since the Network Officer where I work has disabled FTP on the proxy :-( Disclaimer: I haven't tested this out myself, so if it doesn't work - don't blame me! I'm just regurgitating what I've read in a couple of really good books. -- Geraint Jones -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
