[tpm] Maybe OT: Clearing CGI values in web-based apps

Abram Hindle abram.hindle at softwareprocess.us
Tue Dec 2 08:09:16 PST 2008


I'm not sure clearing is what you want to do.

You probably should send them a token per each login attempt. They have
to return that token to you. You have to verify the token they sent is
the one you sent to them (sessions?). Once you verify that token you
remove it from the session. This way if they click back and
resend/reload it will send an old token. You know something isn't right
and you can handle that situation anyway you want.

Banks (not all but most are supposed to) do this w/ their online
payments so you don't accidentally pay your power bill twice.

So server sends login page w/ random token (token is stored in session)
User fills in form, submits, token is passed back
Server checks if the tokens match, if they do carry on authenticating,
if not then throw an error message? Server deletes token regardless.
User hits back/resend/reload sends another repeat login request.
The login request token doesn't match, user gets an error you handle it
anyway you want.

Using this method stops a lot of clickjacking and lot of XSS issues.

abram


Madison Kelly wrote:
> Hi all,
> 
>   I've been stumped as to how to clear the CGI values passed in
> web-based apps.
> 
>   For example, when a user logs in, I show a short "you've logged in
> successfully" page that redirects to the main page. I had expected that
> to do it because the redirect calls the URL directly, but if I reload
> the page, it resubmits the login information. Similar after submitting
> orders and such.
> 
>   This is the kind of thing I want to prevent.
> 
>   I know it's possible as a lot of pages these days somehow prevent this
> from happening. Is this a perl-based solution or do I /shudder/ have to
> use JS? If it's JS, can I bother the list for some help or pointers,
> even if it's somewhat off-topic?
> 
> Thanks!!
> 
> madi
> _______________________________________________
> toronto-pm mailing list
> toronto-pm at pm.org
> http://mail.pm.org/mailman/listinfo/toronto-pm


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20081202/c6169a91/attachment.bin>


More information about the toronto-pm mailing list