on 2006-02-13 02:10
on 2006-02-13 18:47
I would really hope a website couldn't remotely clear out my browser history... Tony
on 2006-02-13 18:54
On 2/13/06, Tony Collen <firstname.lastname@example.org> wrote: > I would really hope a website couldn't remotely clear out my browser > history... And more importantly, I would hope that a website isn't relying on this for any kind of security. -- James
on 2006-02-13 20:20
David Why don't you just display a warning when the user logs out, eg. "If you are using a shared computer, please close your browser window for security reasons". And you could try to force the user to use a separate window, similar to how netbanking usually works (when you click the button to access netbanking, a popup window is often opened where you enter username & password and continue). Estelle.
on 2006-02-13 21:13
Thanks everyone, My primary concern is to ensure that sensitive information isn't viewable via someone hitting the 'Back' button. I've got other methods of enforcing security as well. I hadn't thought of using the Internet banking approach of opening a new window; strange, since I've tested multiple Internet banking setups in the past. Think I'll go with that, and link the "Logout" functionality to a window.close() as well as deleting all session info. Regards Dave M.
on 2006-02-13 21:30
on 2006-02-13 22:06
on 2006-02-13 23:08
on 2006-02-13 23:09
>button will reload the form, losing any changes they have made. >This has been the cause of some unfortunate data loss, that I would >like to be able to eliminate. I'd also suggest HTTPS. The browser history is really not your "property" so to speak: it belongs to the user who created that path from page to page. HTTPS at least lets you control its creation in the first place. (Although almost every web application can benefit from good support of the browser Back button and the page history.) Regarding the danger of losing form data, in practice, the best thing to do is often to put important forms on pages that are dedicated wholly to them, and not surround the forms with tempting-looking links. If you need contextual links--say for help information related to the form--you might want to have those open popups.
on 2006-02-13 23:13
I don't have any sensitive data stored within the URL; however, if you scroll back through the browser history, you can see data onscreen (retrieved from the history) that *is* sensitive. I've already got short timeouts on cookies, and I'm about to deploy over HTTPS. I think the best approach will be to close the browser window when the user logs out. That way there's no scrolling back through screen history. Of course, now I've got the problem of getting users to ACTUALLY log out, which is a whole separate issue... Regards Dave M.
on 2006-02-14 03:59
On Tuesday, February 14, 2006, at 7:13 AM, David Mitchell wrote: >info. >> security reasons". >> http://lists.rubyonrails.org/mailman/listinfo/rails >> >_______________________________________________ >Rails mailing list >Rails@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/rails Dave, You can use Cache-Control, Expires and Pragma No-Cache to prevent browser from caching the page. This will make sure the Back button does not show the cached page. Best Regards, Roustem.