Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Browser Back button opening up security holes???Browser Back button opening up security holes???
Previous
 
Next
New Post
6/16/2008 3:49 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

Brandon, I'm not at all suggesting that we should change Firefox's default setting (which normally caches secure pages in memory) so as to make it cache the same on disk. Setting browser.cache.disk_cache_ssl  to true  was to confirm what Cathal said-that Firefox caches pages in memory by default and changing that to a disk cache meant that DNN was able to take advantage of that change with Authenticated Cacheability set to ServerAndNoCache doing what it was meant to do (invalidate the cache on a logout). However, this is not a solution to the problem. A viable and sustainable solution, IMHO, would be one that would enable DNN to invalidate cached secure pages stored even in memory, and the examples I'd given of other websites doing exactly that, but not DNN led me to believe that the invalidation strategy adopted by DNN is perhaps flawed and therefore needs to be reviewed. However, I'm still waiting for someone who can tell me where to set these as they may prove to be the solution(s) to this problem :-

response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))

response.Cache.SetCacheability(HttpCacheability.NoCache)

response.Cache.SetNoStore()
 
New Post
6/17/2008 9:04 AM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

I think the key point here is that when you are using a machine to access your site, YOU the user is required to clear history etc to ensure 100% compliance.

With the disconnected nature of the web, the differences in browers and browser configurations, the only true way to prevent the issue you are talking about is to actually manually clear the cache and cookies.

Really it isnt much of a risk, unless you are making these changes on a public or shared PC and leaving the browser session open with full history.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
6/18/2008 1:23 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

Thank you, Mitch for taking the time to respond.

As far as possible, we should mitigate the issue through code or settings.
In default.aspx.vb, under If Request.IsAuthenticated = True and before the last End IF added the lines :

response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
response.Cache.SetNoStore()


and now it works, thanks to Cathal. Issue resolved in Firefox!
 
New Post
6/27/2008 2:28 PM
 
Mark Gordon

Joined: 4/24/2007
Posts: 44

I have a single username and password that I use for my seasonal employee's page.  I have set it up that the User Profile page is (supposedly) not displayed. When the user logs in, then clicks the Browser's Back Button, they are taken back to the login screen, however, the "Logout" link now becomes a "Login" link.  They can click that link and it will bring them to a page that says they are already logged in.  All they need to do now is click their "Username" and they now have access to their User Profile, including changing the email address and the password.  This, to me, is a security violation.  If I am stating that the User Profile should not be displayed (In the User Settings) because I don't wish them to have this ability to make the changes, but now there is a way for them to get around this, that is not secure.  I have had the password changed for this particular User Name two times now by a couple clever teenage employees.

Any help here would be GREATLY appreciated.

Thanks,

Mark Gordon
 
New Post
7/1/2008 11:39 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

Mark,

AFAIR the display user profile option is simply a way of ensuring that the details a user registered with can't get altered after registration. However, their username/password will always be editable (they're an intrinsic part of the user, not extended properties such as the profile). What you're talking about is "security by obscurity" rather than a security violation. Fixing that quirk would not stop the user having the ability to change their password - the user can simply provide the correct url which will validate that they have the rights to see their user details and display correctly. I would recommend that you do not share 1 dotnetnuke user across multiple actual users, that is not a very safe setup. If you need to grant access to a shared page, create a role (e.g "seasonal employee") and add users to that role.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 5 of 5
Previous12345 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Browser Back button opening up security holes???Browser Back button opening up security holes???


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out