The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
03-13-2005, 08:52 PM
|
|||
|
|||
Security Issue
Is it possible to force the browser to close upon logout?
The reason we are asking if this is possible is due to a potential security breach of our vBulletin Discussion Forums. Basically, when a user logs out, the previously viewed pages are still cached and fully available simply by clicking the 'Back' button. I was able to see the forums, structure, postings, even the text of sent Private Messages... Of course all the links were dead, however the fact that the information is still viewable is a problem. In addition, after logging-out, the confirmation screen had a 'forum jump' drop-down box that displayed the entire structure of the forums. This is also a problem. If forcing a browser close upon logout would be difficult, is there another way to prevent the above from breaching the security of our Discussion Forums? The seriousness of this potential security breach could cause many of our users to be too uncomfortable to use the forums actively. Thank you in advance... Aloha, Dan 
|
|
#2
03-13-2005, 09:52 PM
|
||||
|
||||
|
Quote:
Closing the browser will not do anything unless their Browser is made to clear all history on exit.
|
|
#3
03-14-2005, 08:24 AM
|
|||
|
|||
|
Thank you for the very fast reply Zachery!
I am not quite sure what you mean by 'enabling no-cache headers'. How does one do that and what does it do? (I am a bit of a newbie at this) I figured that if there was a way to at least close the browser window, casual users would be deterred from exposing anything potentially sensitive. If the window was closed, they would have to know how / where to view the cache instead of merely hitting the 'back' button. Perhaps a combination of both closing the window and enabling the no-cache headers?
|
|
#4
03-14-2005, 08:41 AM
|
|||
|
|||
|
Quote:
Quote:
|
|
#5
03-14-2005, 02:22 PM
|
||||
|
||||
|
Quote:
|
|
#6
03-14-2005, 02:43 PM
|
|||
|
|||
|
You are right, it is more a bandwidth issue, but he asked for an explanation and tried to explain as simple as possible.
|
|
#7
03-14-2005, 06:37 PM
|
|||
|
|||
|
MarcoH64 & Zachery,
Thank you both very much for the guidance and easy-to-understand explanation. I will speak to our System Administrator and have him implement your suggestion immediately. Just out of curiosity, will this also clear the issue of, after logging-out, having the 'Forum Jump' Drop-Down Box display the entire structure of the forums? Thank you again and Aloha, Dan
|
|
#8
03-14-2005, 06:40 PM
|
|||
|
|||
|
The forum jump box respects the permissions set for each usergroup, so you will have to check the permissions on guests
|
|
#9
03-28-2005, 06:45 PM
|
|||
|
|||
|
It seems that this has not solved our issue. I am still able to use the 'Back' button of the browser to view everything viewed and posted. I even tried closing the browser and rebooting the computer - when I log back in, poke around, and log out, I can see everything via the 'back' button.
Also, the 'Forum Jump' box reflects the permissions of the user that just logged out. For example, after I log out, it shows the forum structure to which I have access. If I log in as a test user, after logging-out, the 'Forum Jump' box shows the forum structure to which that account has access. Even though the jump links are dead until a user logs in again, the display of the structure is something we would like to avoid. Unless there is a way to make sure this doesn't happen, is there a way to force the browser to close upon logout in addition to setting the No-Cache HTTP Headers to 'yes'?
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 02:03 AM.