Ask HN: security impact of HTTP POST resubmission?

2 points

14 years ago

Web browsers remember the content of the forms submitted to a web site, including the user name and password in there, if any. We know this because pressing "refresh" button will resubmit the form, and we can see the password resubmitted on the server.

So if you sign in to a site, then navigate away, then sign out, then close the browser, you think you're pretty safe. A hacker comes to the same machine, launches the browser (which helpfully restores the session and browsing history), press the "back" button a few times, confirms form resubmissions and viola - he is signed in as you.

So that's pretty grim, then. What can we do?

As a user, there is nothing you can do. Avoid any computer that is not your personal one?

As a web site developer you can do http://en.wikipedia.org/wiki/Post/Redirect/Get to protect your users, so the POST target is not shown in the browser history. Whether the data is still present in the browser history in a hidden form is an open question. Does anyone know the answer?

I was only able to find one place where this is discussed: http://security.stackexchange.com/questions/21282/how-to-disable-caching-of-form-data

Any more pointers will be appreciated.

1 comment