www.webdeveloper.com
Results 1 to 3 of 3

Thread: Distinguish between browser close/refresh/back events for a secure site (asp.net 2.0)

Hybrid View

  1. #1
    Join Date
    Feb 2009
    Posts
    3

    Distinguish between browser close/refresh/back events for a secure site (asp.net 2.0)

    This is a question I have also been trying to answer (and mainly finding only posts related to disabling back button navigation or doing a check if not the most recent page in browser history then tell the browser to go forward again, which is either ineffective or degrades user experience).

    Basic premise of the issue is:

    1. User logs into secure application.

    2. User views sensitive data.

    3. User (not knowing any better) leaves browser window open (even though they may have closed the Tab that was displaying the website, or navigated to a page outside of the site).

    4. User or Second User opens new tab and either:
    a. uses history to return to previous page containing sensitive data, or
    b. types url of login page to web app, but due to persistence of asp.net (http-only) session cookie (not accessible to client side script), is automatically returned to the logged in page of the previous user displaying sensitive data.

    If it is the same user who finds themselves still logged in, this may affect their perception of site security. If it is a separate user who views this data, then in this particular application, that would be a breach of confidentality and data protection).

    I checked a few different 3rd party secure sites (e.g. online bank) and so far found 2 that have solved the issue (and one that had not) - for major browsers (assuming both javascipt and cookies are available, otherwise they probably dont allow access).

    I think that using a combination of a frameset, cookies set/expired appropriately by onload and onunload events on both frameset and content frame, and javascript to detect if the url causes inner frame to break out of the frameset - it is possible to acheive the desired automatic sign out while still distinguishing between initial site load and subsequent navigation within the site versus a full page reload, but I cannot yet see how to separate an F5/Refresh when the user has not left the page from a navigation away to external site and return to the original site via history or back button.

    Any suggestions gratefully received..

  2. #2
    Join Date
    Apr 2003
    Location
    Netherlands
    Posts
    21,654
    At least 98% of internet users' DNA is identical to that of chimpanzees

  3. #3
    Join Date
    Feb 2009
    Posts
    3
    Thanks - lots of useful info in there..

    I had a look at the headers in Firebug:

    Response Headers
    Server Microsoft-IIS/5.1
    Date Tue, 24 Feb 2009 19:59:58 GMT
    X-Powered-By ASP.NET
    Cache-Control no-cache, no-store
    Pragma no-cache
    Expires -1
    Content-Type text/html; charset=utf-8
    Content-Length 656


    which I think is acheiving the desired effect, though I see that the pragma no-cache is listed as deprecated.



    The only thing I have not now managed to do regards the functionality I discussed was allowing the user to click their browser refresh button and remain in the site.
    However, having checked a couple of third party sites that manage to detect and silently log out the user as they navigate away to an external link and not offer to resubmit the form when the same entry is loaded from the browser history before the session has expired while still allowing browser back/forward button navigation to work internally within the site - as I now do, I have found that in each case they also either return the user to the login page when the browser refresh button is clicked (as mine does) or in some cases redirect to an error page.
    I guess it's a compromise I can accept.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles