On Mon, Aug 2, 2010 at 9:23 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > > What about browsing history? I've just run the JSP below in Tomcat and found > out that Firefox remembers the redirect in the browsing history. It'll be a > problem in a shared desktop or Internet kiosk environment.
I think the best practice for authentication tokens passed on URLs is to clean the URL as soon as it is received. For the web server flow, that would mean sending a 302 after receiving the authorization code. For the user-agent/javascript flow, that would mean copying the token into a cookie or a javascript variable, and then using window.location.replace() to clean the URL. My javascript ninja sources tell me that location.replace() cleans the browser history, but I haven't actually tested it. The mozilla documentation is very clear on the expected behavior: https://developer.mozilla.org/en/window.location "Replace the current document with the one at the provided URL. The difference from the assign() method is that after using replace() the current page will not be saved in session history, meaning the user won't be able to use the Back button to navigate to it." Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth