Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Browser Back button opening up security holes???Browser Back button opening up security holes???
Previous
 
Next
New Post
6/5/2008 9:43 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

>theres a link to the Microsoft KB that explains what each setting is.

Sorry, I missed that earlier.

I played around with the settings, but they don't seem to have any effect. I mean, back button always returns me to the previous page after a logout. In one scenario, I happened to be in the Host-Settings while logged in. Then I logout. Then I press the browser back button. I am returned to Host-Settings. Then I click on "Clear Cache" link. Lo and behold, I get the login page! This shows that (i) the Performance settings dont do what you'd said they were supposed to do in your blog and (ii) some functions are still accessible even on a supposedly secure page even after a logout!

>use case 2: user is logged in, browses to a secure page, clicks logout, clicks back - this is now an attempt to access a secure page whilst not logged in i.e. this is identical to the use case 1

In use case 1, you said the user is shown a login dialog. Then if its identical to use case 1, why isn't he shown the login dialog, at least, if not the home page?

Today I got a small ASP app with salted MD5 hashing implemented on the password field on both client and server, with proper session management and client as well as server side validation. I checked the back button behavior in this app. I found that once I logout, whenever I hit the browser back button, it always returns me to the login page, not the page I visited before the logout. This behavior can be seen in innumerable apps. I don't know why its not possible in DNN. I'd love to see  a  similar behavior in DNN, either by a code change, for which I'll need some help with or by an upgrade, otherwise I'll have to abandon DNN and try look for other solutions. But that would be a sad day for me.
 
New Post
6/5/2008 10:56 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Iadalang,

As Cathal indicated, leave your server cachability at ServerAndNoCache to avoid this problem.  You may also need to clear out your temporary internet files if the page is already cached (and possibly restart the application), but I don't believe this to be the case.  For extra credit, I've just now verified that the issue occurs (by design) with Private authenticated caching, and does not occur (by design) with ServerAndNoCache. 

Bottom line -- this is all by design.  Leave your authenticated cachability at ServerAndNoCache if you want to avoid this behavior.  If you must privately cache, you can mitigate (but not avoid) the issue by SSL-enabling all of your admin pages, in which case IE will (with normal settings) not write the file to disk.  This is overridable via the browser, so it is not an ultimate solution.  The ultimate solution is ServerAndNoCache :)  You may not be able to SSL-enable admin pages until DNN v5, I don't recall offhand if setting the IsSecure bit on the admin tabs explodes or not.

This is the third SSL-related post I've written to you today.  You owe me a beer!

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
6/6/2008 9:19 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

Cathal's post in http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/472/Default.aspx says that setting ServerAndNoCache ensures that if you log out, no-one can access your previous pages by pressing the back button, or viewing the temporary internet files. Instead, I might (should?) be greeted with a "Warning: Page has Expired" notification when the browser's back button is used. Well, the point is that this was exactly what I set it to and it didn't work. And what's more, I could even expand the Host Settings after the back button was pressed and I could also click on "Clear Cache"! I would've been glad if I got the Page expired warning, but I didn't and its driving me nuts!
 
New Post
6/6/2008 1:07 PM
 
keeperofstars

Joined: 1/22/2008
Posts: 273

iadalang its not the authentication at all. It's the nature of browsers. HAS ZERO TO DO WITH DNN. Ok very little.

Do this test. Login goto a few pages, goto your user account page, log out.

UNHOOK your interent so you are 100% offline and hit your back button, watch what happens. you can go back through your history file for quite a while. Webpages are all static and saved locally on the users machine, unless you define SSL then information is not allowed to be seen cause you change from https to http typically, the redirect causes a server refresh.. Whenever a webpage is rendered by the browser the browser takes a copy of that and stores it locally on the computers harddrive. It can then go backwards and read through those files, which it does assuming there is nothing that changes. Which id usually done via a session state in asp.net pages. There is really nothing DNN could do about, without trying to force a 301 redirect on each call to the page. To me that would be a nightmare for the system.

This issue is why banks now ask you if you are on a private or public access computer. If you are on a publich machine they turn off all cookie settings, if you are private then they let the program apply cookies. It is also why my library has notes on alll computers stating to close your browser after your finished surfing, and why we have a program that goes out and clears the cache after 5 pages.

Its not a security issue, its a end user education issue.
 
New Post
6/9/2008 6:31 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

keeperofstars,

All the aforesaid experiments of mine were with Firefox/Netscape as the browser. Moreover, with cookies blocked in Firefox and Netscape, attempts to login as host or admin returned me to the home page (i.e. without the host/admin menus)! Curiously, with IE, attempts to view the previous secure page with the browser back button after a logout returned me to the login page (a much desired behavior!). And blocking all cookies for my site in IE didn't behave the same way as in Forefox/Netscape. I can still get the admin/host menu after a successful login as host/admin.

So it looks like the setting in Host-Host Settings-Advanced Settings-Performance Settings-Authenticated Cacheability=ServerAndNoCache works with IE, but not Firefox/Netscape. Is this a browser quirk? Does DNN require that we use only IE for ServerAndNoCache to work? I'd rather believe not.

Also, can you tell me the difference in the timeout parameter in these sections in web.config :

      <forms name=".DOTNETNUKE" protection="All" timeout="10" cookieless="UseCookies" />

    <add key="PersistentCookieTimeout" value="0" />

    <anonymousIdentification enabled="true" cookieName=".ASPXANONYMOUS" cookieTimeout="1" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="None" domain="" />

and whether cookies can be controlled by any of the above settings?
 
 Page 2 of 5
Previous123...5Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Browser Back button opening up security holes???Browser Back button opening up security holes???


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out