[4400] in WWW Security List Archive
Re: Removing info from a PC cache
daemon@ATHENA.MIT.EDU (Darren Cook)
Thu Feb 13 12:24:11 1997
To: <www-security@ns2.rutgers.edu>
From: darren@factcomm.co.jp (Darren Cook)
Date: Thu, 13 Feb 1997 23:03:05 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
>When using the "back" button in such browsers as Netscape Navigator and
>Internet Explorer, the information for the previous pages are re-displayed.
>When setting up an Internet site that requests ids and passwords/PINs for
>commerce transactions, this creates the risk of having others use the PC to
>get to the authenticating person's confidential info when the person does not
>exit the browser before leaving the PC.
The best way (and I'd be interested to hear alternatives) seems to be to
assign them a 'session id' when they first log on, and then insert this id
into all links (requires the pages to be parsed by a cgi program).
Expire the id's after say 30 minutes (I record a 'last web activity' time
each time I sent them back a page) of inactivity.
Anyone who tries to access a page with no session id, or an outdated/invalid
one, gets the 'input password' page.
This does not need SSL,etc., but should run on top of it.
Darren
