Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

365 problems with browser back/forward buttons

Options
  • 17-12-2014 4:50pm
    #1
    Red Alert
    Hosted Moderators Posts: 7,486 ✭✭✭


    This has recently gone beyond a joke.  Previously, it was recommended to avoid using these buttons, but now it appears that the 365 dev team have actively attempted to detect usage of these buttons and logout the session if this happens.

    This is an extreme usability problem. The back/forward buttons are fairly integral to people's usage of modern internet browsers.  

    The use of the word "security" here is at best weak - there is no security benefit whatsoever from doing this, since no security state information is maintained on the client-side. 


Comments

  • Options
    #2
    Bank of Ireland: Tara
    Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Hi Red Alert,

    Thanks for your post.

    We are sorry to hear you are unhappy with the automatic log out when using the back and forward buttons. Just to mention, there has been no changes made in relation to this recently. We will ensure to pass on your feedback to the Development Team.

    Thanks
    Tara


  • Options
    #3
    Red Alert
    Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    From what you are saying, it may be possible that browser upgrades have exacerbated this pre-existing design problem.  However, please pass on to them that this "feature" should never have been there from the get-go.


  • Options
    #4
    techdiver
    Registered Users Posts: 3,174 ✭✭✭techdiver


    Red Alert wrote: »
    This has recently gone beyond a joke.  Previously, it was recommended to avoid using these buttons, but now it appears that the 365 dev team have actively attempted to detect usage of these buttons and logout the session if this happens.

    This is an extreme usability problem. The back/forward buttons are fairly integral to people's usage of modern internet browsers.  

    The use of the word "security" here is at best weak - there is no security benefit whatsoever from doing this, since no security state information is maintained on the client-side. 
    The invalidation of a session when using the browser back button is in fact a well accepted security mechanism to protect from cross site request forgery. It protects from a users session information been used by an attacker by utilising a unique token per web request. When you hit the browser back button you will end up re-using the same token for subsequent requests which will then trigger the server to invalidate the session. Source - I work in the software security industry.

    There is more information about it here - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29. CRSF comes in the top 10 security attacks against web users.

    The counter measures may be a pain in the ass, but they are implemented for a reason. From Bank of Ireland's point of view, they could improve usability by implementing breadcrumbs in their page flow.


  • Options
    #5
    Red Alert
    Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    They're generating a new CSRF token for each page request, which is probably excessive and is causing the problems. I have only implemented CSRF protection in the form of a CSRF token per session, for example in Spring MVC's default configuration.  Breaking browser navigation is a major usability problem, and probably not worth doing here since most "dangerous" operations do required 3/6 digits from the 365 online PIN. 


  • Options
    #6
    Red Alert
    Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    Nice reference by the way!


  • Advertisement
Advertisement