[WEB SECURITY] Browser Cache
spawn security
spawn.security at gmail.com
Tue Oct 18 22:05:42 EDT 2005
I'm trying to find some solutions for the following issue:
Browser is caching user credentials at login page.
1 - user logs in
2 - uses the site
3 - logs out
4 - goes to browser history an selects login page
5 - clicks on forward and browser shows "this page has expired. if you want
to repost the data please click refresh"
6 - clicks on refresh and the browser sends the credentials again.
The initial solution proposed is to return a "302 redirect" when the user
posts the username/password. This solution has a performance impact, since
all logins will need an additional request. Would you know another way to
invalidate the browser's cache ? We've tried the cache control headers but
it is not working.
Best,
SS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20051018/6b291d12/attachment.html>
More information about the websecurity
mailing list