User induced session stomping?
Paul Hethmon
paul.hethmon at clareitysecurity.com
Mon Aug 27 12:32:44 EDT 2012
On 8/27/12 12:03 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>On 8/27/12 12:00 PM, "Paul Hethmon" <paul.hethmon at clareitysecurity.com>
>wrote:
>>>
>>>Is there a way to distinguish that case from the IMHO more common case
>>>of
>>>a back button going back over the login servlet?
>>
>>Seems like you could see that the user has an existing session at that
>>point (on the submittal of the old login form). So you skip the login
>>handling and process it as a SSO request.
>
>You can't, there's no request to fulfill. Nor do I want the UI to make the
>back button a "fence" and keep sending them forward again, I don't like
>that model. I was just trying to see if there was a quick way for me to
>detect the "multiple tab case" separately.
Ok, I see that now, the original AuthRequest is gone so you don't know how
to fulfill the user's request even though they now have a session. So now
you're in the login servlet and have no authentication context
information, but you can tell the user has a session. That could be a
decision point to do something, whatever that might be.
Paul
More information about the users
mailing list