Jump to content

Archived

This topic is now archived and is closed to further replies.

jwwceo

BACK BUTTON FORM KEY ISSUE

Recommended Posts

I am building an app which requires a very secure environment. Because of this, I am using a form key on every POST, both for regular forms and also Ajax calls. This key is stored as a session variable, and is reset whenever a POST occurs. A validation script checks the submitted key against the servers key and kicks he user out of they don't match. This ensures POSTs are coming from a trusted source.  It works great, and I think has made the site very hard to attack or hack.  That said, it has broken the browsers back button. If I hit back, the old form key is posted, and they don't match and it kicks the user out. 

 

I don't want a broken back button, but not sure what to do. Any ideas??

 

James

Share this post


Link to post
Share on other sites

I'm a little confused. You state "This key is stored as a session variable". But, then you state "If I hit back, the old form key is posted". If it is a session variable then how is it in the POST data?

 

I'm curious what you are really trying to achieve here. What are you protecting against by having the key that changes on each POST load? Once you know you have a trusted user, can you not set a single, unique session variable and check that same value on every POST submission?

Share this post


Link to post
Share on other sites

Like @guru said not she if what you are going is needed but I must say I like it.  I have never heard or thought of doing it but will now think it over.

 

Now for your issue.  even if you did not have your key idea the issue of the back button (reload) always has been a problem.  What I did to solve it was for any form post it is done in a window that delete itself after the post so the user can never click the back button as it is no longer there for that window.  Now you do not need to actually use a NEW window you can use a modal one.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.