Ask HN: security impact of HTTP POST resubmission?

2 points by DenisM ↗ HN
Web browsers remember the content of the forms submitted to a web site, including the user name and password in there, if any. We know this because pressing "refresh" button will resubmit the form, and we can see the password resubmitted on the server.

So if you sign in to a site, then navigate away, then sign out, then close the browser, you think you're pretty safe. A hacker comes to the same machine, launches the browser (which helpfully restores the session and browsing history), press the "back" button a few times, confirms form resubmissions and viola - he is signed in as you.

So that's pretty grim, then. What can we do?

As a user, there is nothing you can do. Avoid any computer that is not your personal one?

As a web site developer you can do http://en.wikipedia.org/wiki/Post/Redirect/Get to protect your users, so the POST target is not shown in the browser history. Whether the data is still present in the browser history in a hidden form is an open question. Does anyone know the answer?

I was only able to find one place where this is discussed: http://security.stackexchange.com/questions/21282/how-to-disable-caching-of-form-data

Any more pointers will be appreciated.

1 comment

[ 2.6 ms ] story [ 15.0 ms ] thread
By the way ASP.NET by default generates code for you does POST/redirect/GET on success, but does not if there was an error, such as a typo. That's still disclosing lots of information, imo.

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public ActionResult Login(LoginModel model, string returnUrl)
        {
            if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }

            // If we got this far, something failed, redisplay form
            ModelState.AddModelError("", "The user name or password provided is incorrect.");
            return View(model);
        }
How is this problem handled in other frameworks?