 |
|
|
Joined: 6/20/2007
Posts: 102
|
|
|
When I login to my site as admin and go to File Manager, then logout, then immediately click on the browser's back button, I am shown the File Manager page with the Folder Security Settings also shown at the bottom! Clicking on any file or link on the page returns to the login page. However, clicking on any folder throws up an error pop-up like null-null). When I login as admin again, I'm redirected back to File Manager.
Similar behavior was noticed when I login as admin, go to Admin-Site Settings, then logout, then immediately click on the browser's back button. I am shown the Site Settings and I can even expand the various nodes. Of course clicking on Update returns me to the login page. When I login as admin again, I'm redirected back to Site Settings.
Next, I login as admin and go to admin-Authentication, then logout, then click on browser's back button. I am shown the various nodes of DotNetNuke Authentication Settings, Windows LiveID Settings (including the Secret key!) and OpenID Settings (all expanded).Of course clicking on Update returns me to the login page. When I login as admin again, I'm redirected back to Authentication Settings page.
Next, I login as admin and go to admin-User Accounts. I then get some users starting with some letter listed. Then I click on pencil icon against a username. I then come to Edit User Accounts. Besides other fields, Email Address is also shown. I don't change anything here, I click on logout. I leave the terminal for a minute and before I come back, someone has intentionally or unintentionally clicked the browser's back button. Lo and behold, the user's email ID is shown in full view!
I could go on and on but I think I'd better stop.
I suspected it to be something to do with the cache, so I set performance settings node in Host-Host Settings like :
Performance Setting : No Cache & Authenticated Cacheability : ServerAndNoCache
but there was no change in the behavior of my site.
3 questions-(i) Is this not a security issue? (ii) If not, why not? & (iii) If it is what then is the solution to this "back button" problem?
P.S. I logged into my account on www.DotNetNuke.com, clicked on my User Name and was taken to my User Account page. Then I logged out, then clicked my browser's back button. I get the message like "You are not authorized to edit this user". From this it is obvious that there's something wrong with the configuration of my own site as it is not behaving in the same way as the www.dotnetnuke.com site.
Further, I'd like to know how to return the user to the Home Page whenever the browser’s back button is clicked after logging out. Again, after logging in how to redirect the user to the Home Page rather than the page which he browsed to previously (File Manager, Site Settings, Authentication Settings, User Accounts etc. etc.). Perhaps there are settings in DNN or web.config or elsewhere for doing this, and I might have missed something. Would be grateful if someone can explain how to do this.
|
| |
|
|
 | |
|
|
Joined: 1/22/2008
Posts: 273
|
|
|
It's not a security issue cause you can only view the information if you / your users visit the site --> go into sensitive information --> log out and leave a public computer without closing internet browser or clearing the browsers cache. Its not DNN caching causing it its the client's browser. As you point out the second you try to make any call to the server you get shut down instantly. Keep in mind any webpage is just html / javascript that is it. Every time a page is loaded into a browser by default it caches that page for x amount of time. This is to allow the back button to work without having to constantly reload the information.
Like I said its only a slight security risk if you are on a public machine and logout and then don't close internet explorer. Otherwise its not a security issue. I checked the DNN site it does the same thing as your site does. With displaying the profile information even though I logged out. They just have a warning message stating you are not authorized to edit this user. There are a billion different ways they could have added that line.
|
| |
|
|
| |
|
|
 |
 |
www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
|
|
|
it's not a security issue, pressing the back button simply retrieves the page from your internet browser's temporary internet files folder if it's availble (i.e.if it was cached). You can increase the caching level via the cachability in host settings (see http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/472/Default.aspx for a better description and link to the microsoft KB on what each level does). This is why when you try to access a function it fails, as your user is logged out and doesn't have the rights to perform the function.
There is no logic to redirect you to the homepage for unautheticated requests, it should simply redirect you to a login screen - this is needed as users will receive a link to a page that is not public, so they should be presented with a login page and once succesfully logged in then the login page can redirect to the correct originally requested page. If we changed the code to work the way you want then this redirect would always go to the home page which is not a behaviour users expect.
Cathal
Buy the new Professional DNN7: Open Source .NET CMS Platform book
Amazon US
|
| |
|
|
| |
|
|
Joined: 6/20/2007
Posts: 102
|
|
|
Sorry, but I'm still not convinced that this is not a security issue. For one, I fail to understand how displaying a user's email address or displaying DNN Authentication Settings when the back button is clicked after logout cannot be considered a security issue. At the least, can it be considered a "sensitive information disclosure" issue?
To be specific (at the cost of sounding repetitive), this is what I observed on the DNN site :
After logging in, clicking on my username took me to my user profile Page. Leave that alone, now log out, I am directed to Preferred User Information page (although why I'm directed to this page is beyond my understanding-I expected to get redirected to the home page or login page). Leave that as is. Next, I click on my browser's Back button. I am shown the Home>User Profile page. My username and "Logout" link are clearly visible along with my User Name, First Name, Last Name, Display Name and Email Address. I click on my username and I am again shown Preferred User Information page! Again I click browser Back button. On the User Account page, when I hover over Manage User Credentials, I realize that its not clickable (supposedly because I'm already in the User Credentials). When I click on Manage Password, I can see the warning message "You are not authorized to edit this user." but the Change Password Section is also shown with blank textboxes (although why this was also included is beyond me-I expected just the warning). Next, I click on the browser's Back button. I'm in the home page- at last!- did the browser's cache expire at this point? No, I believe not, because when I click again on browser's back button, I am shown the login page!
IMHO, this is erratic and out-of-context behavior and discloses sensitive information.
Cathal, in the post you referred to you said, and I quote :
"...with ServerAndNoCache being the one that was hardcoded into DotNetNuke."
Sorry, but in my case this was not the default. In my case it was ServerAndPrivate. May I know what are the differences between the various options in the Authenticated Cacheability drop-down. For e.g., what is the difference between ServerAndNoCache and simply NoCache? Alternatively, where can I find the detailed description of these options?
Again, I quote your post :
"...it's actually a security best practice. It ensures that if you log out, no-one can access your previous pages by pressing the back button, or viewing the temporary internet files."
Exactly! the point I'm trying to make is that this didn't work in my case or for that matter in DNN site's case, despite the host performance settings I mentioned. The back button still displayed my previous page!
Of course, I do not know what the settings in the DNN site were, but it looks like even with the same settings, it wouldn't purge the browser's cache.
I've seen many sites that do not exhibit such erratic and out-of-context behavior as detailed above. Some of them use a JavaScript function like history.go(1); to disable the browser's back button. Others may be implementing other techniques. Now, I cannot buy into an argument that says "JS can be disabled on the browser", because DNN relies on JS being enabled anyway!
And as for the statement "There is no logic to redirect you to the homepage for unautheticated requests, it should simply redirect you to a login screen - this is needed as users will receive a link to a page that is not public, so they should be presented with a login page and once succesfully logged in then the login page can redirect to the correct originally requested page" , I agree that this is how DNN behaves when an unauthenticated user tries to access a secure page or function which requires a login. That is perfectly acceptable. What I was trying to say is that once a user is logged out it is better (if possible) to redirect him to the home page or login page when he tries to click the browser's back button.
What I'm looking for is for a way to circumvent this issue, and will be happy of others can chime in and give me some tips. After all, DotNetNuke is about Community, Content and Collaboration. C'mon, guys!
|
| |
|
|
| |
|
|
|
|
www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
|
|
|
the default is "HttpCacheability.ServerAndNoCache" -you can see this in default.asp.vb - if your value is different it's because you've changed it. On the blog post I pointed you to theres a link to the Microsoft KB that explains what each setting is.
As to the question about being automatically redirected to the home page on a back button, let me give an example
use case 1: user gets sent a link to a secure page and they click it, dotnetnuke detects they're not authenticated and shows a login dialog, after logging in they're redirected to original page
use case 2: user is logged in, browses to a secure page, clicks logout, clicks back - this is now an attempt to access a secure page whilst not logged in i.e. this is identical to the use case 1, so there is no way to determine whether to redirect to the failed access request or the home page i.e they are mutually exclusive options.
Cathal
Buy the new Professional DNN7: Open Source .NET CMS Platform book
Amazon US
|
| |
|
|
| |