Due to some security constraints, there is requirement that the page visited should not be listed in browser's history.
So the pages need not to be shown in the history at all.
I have tried following ways but failed.
Solution 1:
1. <%
2. session.invalidate();
3. response.setHeader("Cache-Control","no-cache");
4. response.setHeader("Cache-Control","no-store");
5. response.setDateHeader("Expires", 0);
6. response.sendRedirect("home.jsp");
7. %>
Solution 2:
<%
Response.Cache.SetExpires(DateTime.Parse(DateTime.Now.ToString()))
Response.Cache.SetCacheability(HttpCacheability.Private)
Response.Cache.SetNoStore()
Response.AppendHeader("Pragma", "no-cache")
%>
Solution 3:
<body onload="history.forward()">
Solution 4:
<%
response.setDateHeader("Last-Modified", System.currentTimeMillis());
%>
Like in Firefox, there is functionality Tools -> Start Private Browsing which doesn't store any session data. Is there anything that can be done by JavaScript to achieve this.
You can't rely on client side when security matters. All browsers have different implementation for history. You should rely on a server side solution.
You cannot do it using all above four ways.
The only thing you can do it put your URL such that its unique and can't be revisited as per your requirement.
This behavior is under the control of the browser and not the server, so your options are very limited.
One way to achieve it is to create a page on site A which just contains an iframe that loads the content of the site which you don't want to see in the browser history.
But it will still be brittle. Users can use "Open Link in new window/tab" to break out of your shell.
If you have access to the clients, one solution is to install the browsers with history turned off in the settings plus restrict access to the browser preferences so users can't change this option.
You can't affect the browser's history mechanism. The best thing you can do is make sure the page has not been cached and possibly "disguise" it by making the URL random gibberish that has no meaning.
http://wiki.apache.org/struts/BrowserBackAndSecurity#Data_Caching_vs._Browser_Session_History
This smells of "security by obscurity". You should tackle the real problem (sensitive data in URLs) instead of obfuscating your way around it.
Just make it so that URLs don't contain any sensitive information (and please don't do it by wrapping the entire page in an iframe - this again is just a bit of obfuscation).
Related
I've managed to create a secured web service which stores the hash of password with random salt
But now after the user has filled its correct username and password then he is redirected to index.html page.
and now my task is to create the same thing as you see here in stackoverflow in the left corner - I want the user to see his username and next to it to have an option for logout.
But as I have never done such thing can you recommend the steps I should follow
and some tutorial - or whatever you think I should read
What is the technology stack you are using ? JSP + Java ? JSF + Java ? Struts + Java ? or any-other ? Whatever you use. Most of the framework has a concept of session. When user hit the submit button post filling the form, store the "username" is session. On successful validation pull the "username" stored from session. http://www.javatpoint.com/cookies-in-session-tracking http://www.tutorialspoint.com/jsp/jsp_session_tracking.htm
Easiest way is to have link to page like
http://www.example.com/logout.jsp
Than in logout.jsp, you can logout user from DB (if you use that) and destroy SESSIONS and COOKIES. After that, you do redirect to index page of web. Doing redirect to last page is not always possible, because user coul have been in some logged only part of the web.
Good thing is also to check if user is logged before doing real logout, but all of this stuff is in logout.jsp. There is no need to doing it more complicated, than it is :-)
As you are using JSP you should be using HttpSession. So you only have to call invalidate method when you access the logout page (in this case, logout.jsp):
<% session.invalidate(); %>
<% response.sendRedirect("index.jsp"); %>
If you are using a servlet, you can process this there.
If you want to know more about JSP/servlet development I recommend you this series of videos, if you have little experience they are very easy to follow.
How to fix the below XSS vulnerability issue?
How to secure my website from XSS vulnerability?
By adding a javascript in the URL of the website all the cookies values are being displayed.
below is a similar example of the URL which consists of a java script:
https://www.example.com/>< script>alert(document.cookie)< / script >&UserTarget=https://www.example.com/homepageredirect.jsp
To overcome this I added the below filer in obj.conf file in webserver 7.0:
Input fn="insert-filter"
method="POST"
filter="sed-request"
sed="s/(<|%3c)/\\< / gi"
sed="s/(>|%3e)/\\>/gi"
Ever after making these changes in the obj.conf , still the issue is not fixed. Please suggest something.
When you print your HTML just escape the special chars in the client side (or server-side, it depends for what you are going to print it) then you will be allowed to pass any input through without the need to use awkward regex or other kind of filter.
Example:
Let's say I have a variable that can receive a <script>alert( document.cookie )</script>, when I print I would do something like <div> <%= escapeHTML( dangerousVariable ) %> </div>.
In this URL XSS Prevention Rules mention you can apply rules according to your requirement
I'm working on a jsf project, and I have several xhtml pages which use the same template. The template contains the layout and the page header. I would like to know if it is possible to not reload the header when user navigates to another page, since it is always the same; and as it contains a couple of images it makes navigating unnecessarily slower.
One remark: I'm using a filter that adds the following headers to the response, for security reasons:
HttpServletResponse resp = (HttpServletResponse) response;
resp.setHeader("Cache-Control", "no-cache,no-store,must-revalidate"); // HTTP 1.1
resp.setHeader("Pragma", "no-cache"); // HTTP 1.0
resp.setDateHeader("Expires", 0); // Proxies.
Can it be done without removing those headers?
Thanks!
Damian
The template contains the layout and the page header. I would like to know if it is possible to not reload the header when user navigates to another page, since it is always the same;
This is only possible when using a HTML frame (not recommended) or when refreshing the page parts by Ajax requests instead of normal requests. However, the disadvantage is that you end up with unbookmarkable URLs.
and as it contains a couple of images it makes navigating unnecessarily slower.
If that is the real problem, then you need to instruct the browser to actually cache the images (and CSS and JS). So if you're setting those response headers on image/CSS/JS requests as well, then the browser is forced to reload them everytime. This is unnecessary and will indeed result in slow loading. You need to ensure that those headers are only set on JSF pages, so you need to ensure that the URL pattern of the filter matches JSF page requests only, e.g. *.jsf or *.xhtml and thus not /* or something.
See also:
Java EE Web application performance tips and tricks
Looking for a similar technique in my audio player to don't stop listenig during navigation. I just look at soundcloud site. U can refresh content in ajax and change url in javascript with window.history.pushState look here:
http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#dom-history-pushstate
It probably doesn't work with old browser...
I new in JSP, i have a problem with JSP
in php i use
$page=$_GET["page"]
for display multiple page for one layout it mean i have index , it display layout and when i click on menu go to about us the index url = index.jsp?page=about
in PHP when i declare $page above and next step i do
Switch($page){
case 1:about
include 'aboutus.php'
case 2:news
include 'news.php'
}
How can i do it ?
How jsp can do the same way php to display multiple page in 1 layout
Use jsp:include.
<jsp:include page="/WEB-INF/${param.page}.jsp" />
And pass ?page=news or ?page=about, etc as parameter. The ${param.page} prints the outcome of request.getParameter("page"). You can prevent direct access to JSP files (by entering URL in browser address bar) by placing JSP files in /WEB-INF folder.
See also:
Basic JSP/Servlet tutorials
Hidden features of JSP/Servlet
How to avoid Java code in JSP
nowadays you use "templates" of Java Server Faces (JSF) for this approach. When you use JSP, you actually don't use the same concept as in PHP. You'd better use the MVC concept. But to answer your question, you could probably achieve this with the include tag http://java.sun.com/products/jsp/tags/11/syntaxref1112.html and control it with JSTL:
http://www.java2s.com/Code/Java/JSTL/JSTLiftag.htm
I am working with jsp/servlet project and I have to complete the module of access management to my jsps since I have more than one user with different profile.
I defined a table in my database which resume the profil and the url permitted like that:
id_profil :1
url : http://localhost/...xyz.jsp
id page 1
Now I am trying to let the menu modified appropriately to the id_profil of the logged user.
So there are pages allowed in one profile but must be hidden to others.
I have no idea since now how to realize this.
It's kinda a vague exaplanation but you could use an if in your jsp to hide the menu options based on id_profil, something like this:
<c:if test="${currentUser.id_profil == 1}">
<button label="Only id_profil 1"/>
</c:if>
Keep in mind that by changing the values shown by a menu, you aren't preventing a user from accessing a page directly -- even if the user can't get to xyz.jsp by dropping down a menu item, they can still enter xyz.jsp into the address bar of their browser. So you'll have to block the access in another way.
If you have any experience with Spring, or are considering implementing it, take a look at Spring Security. It can be used to limit user access rights to different parts of your application. It isn't terribly hard to implement if you are already familiar with Spring.
ETA: For some basics that don't involve Spring Security, check out security in web.xml: http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html#bncbj