User induced session stomping?
Cantor, Scott
cantor.2 at osu.edu
Mon Aug 27 12:03:39 EDT 2012
On 8/27/12 12:00 PM, "Paul Hethmon" <paul.hethmon at clareitysecurity.com>
wrote:
>>
>>Is there a way to distinguish that case from the IMHO more common case of
>>a back button going back over the login servlet?
>
>Seems like you could see that the user has an existing session at that
>point (on the submittal of the old login form). So you skip the login
>handling and process it as a SSO request.
You can't, there's no request to fulfill. Nor do I want the UI to make the
back button a "fence" and keep sending them forward again, I don't like
that model. I was just trying to see if there was a quick way for me to
detect the "multiple tab case" separately.
-- Scott
More information about the users
mailing list