BACK BUTTON FORM KEY ISSUE

[jwwceo]

I am building an app which requires a very secure environment. Because of this, I am using a form key on every POST, both for regular forms and also Ajax calls. This key is stored as a session variable, and is reset whenever a POST occurs. A validation script checks the submitted key against the servers key and kicks he user out of they don't match. This ensures POSTs are coming from a trusted source.  It works great, and I think has made the site very hard to attack or hack.  That said, it has broken the browsers back button. If I hit back, the old form key is posted, and they don't match and it kicks the user out. 

 

I don't want a broken back button, but not sure what to do. Any ideas??

 

James

[Psycho]

I'm a little confused. You state "This key is stored as a session variable". But, then you state "If I hit back, the old form key is posted". If it is a session variable then how is it in the POST data?

 

I'm curious what you are really trying to achieve here. What are you protecting against by having the key that changes on each POST load? Once you know you have a trusted user, can you not set a single, unique session variable and check that same value on every POST submission?

[DenRomano]

Like @guru said not she if what you are going is needed but I must say I like it.  I have never heard or thought of doing it but will now think it over.

 

Now for your issue.  even if you did not have your key idea the issue of the back button (reload) always has been a problem.  What I did to solve it was for any form post it is done in a window that delete itself after the post so the user can never click the back button as it is no longer there for that window.  Now you do not need to actually use a NEW window you can use a modal one.