Browser refresh

nhofkes

This is a question about the consequences of a browser refresh - in most browsers this is done by pressing F5 and/or Ctrl-R, sometimes also referred to as 'Reload'.

I noticed from the log files (Tomcat log and testing log) that the browser refresh results in fully new login request. It seems that the only difference is that the user does not need to supply username and password, but otherwise the refresh results in a new session and the app going through any login process and displaying the start screen for the user. I wonder whether that is intended behaviour and/or unavoidable for some technical reason.

Consequently, the browser refresh is not a good method to refresh any information on the screen. I know that there shouldn't be any need to do a browser refresh because you can put a refresh button on just about any form or query, and in most cases they will even auto-refresh. But still, it would seem more customer friendly if a browser refresh would return the user to the same screen that he was in when doing the refresh. Has anyone taken the effort of recording each page that the user visits for the purpose of returning him to that same place after the refresh ? Or would that not be a good idea because of any side effects of the browser refresh, i.e. should this refresh be discouraged so that the user will use the app's refresh button instead?

hpl123

nhofkes wrote
This is a question about the consequences of a browser refresh - in most browsers this is done by pressing F5 and/or Ctrl-R, sometimes also referred to as 'Reload'.

I noticed from the log files (Tomcat log and testing log) that the browser refresh results in fully new login request. It seems that the only difference is that the user does not need to supply username and password, but otherwise the refresh results in a new session and the app going through any login process and displaying the start screen for the user. I wonder whether that is intended behaviour and/or unavoidable for some technical reason.

Consequently, the browser refresh is not a good method to refresh any information on the screen. I know that there shouldn't be any need to do a browser refresh because you can put a refresh button on just about any form or query, and in most cases they will even auto-refresh. But still, it would seem more customer friendly if a browser refresh would return the user to the same screen that he was in when doing the refresh. Has anyone taken the effort of recording each page that the user visits for the purpose of returning him to that same place after the refresh ? Or would that not be a good idea because of any side effects of the browser refresh, i.e. should this refresh be discouraged so that the user will use the app's refresh button instead?

The reason for this as far as I know is because the user is already logged in and the current session is "alive" when the user refresh the browser i.e the users credentials are "stored" in some way in the browser or tomcat so when the browser refresh, it does something equivalent to what we can do when log in in via a URL with the user information etc. in the URL i e it kind of logs the user in again.

I have worked around this in a couple of different ways, I have done what you ask about i.e "record" the users last vp/layout and when the browser is refreshed, a initialization process takes them back to the same page. I actually used a temporary vp as the login vp to do this and that vp was empty and only had a single process to navigate the user to some other vp/layout (as otherwise, the app would first show the default start vp/layout and then redirect the user to the last vp/layout). Not the best solution but works. Other things you can do include using the localstorage of the browser instead and use that as a placeholder for information, scripts etc. related to last vp/layout. You also have different JS functions and workarounds you can use to manipulate things around browser refresh e.g "catch" browser refresh event and override it or do something else instead of browser refresh e.g show a popup with options for the user (go to homepage, go to last visited screen, cancel refresh etc. etc. etc.).

nhofkes

I haven’t tested this myself. If it is indeed possible to login again without entering credentials, even after an explicit logout, this would indeed be a signifcant security risk (as gernotlg pointed out last year).

This could perhaps be countered by catching the browser refresh event as suggested by hpl123, but that would require to use custom JS on every page which seems like quite a bit of work and really unnecessary as a logout should simply be an irrevocable action.

I am using other SaaS software which displays a message shortly before the session times out, warning of the upcoming time out and offering the possibility to extend the session. That would be a useful addition, but less important than fixing this login issue.

gernotlg

I know this is not what your post is addressing, however, I wonder.. if there is a security risk here (while we're on the subject of Browser Refresh). I have noticed that when I leave a session idle for a while, then go to use it, it tells you the session has timed out, and I get logged out, like it is supposed to.

But !!!.. I've learned that, if I suspect it's been too long, instead of being logged out, I will just press F5 to refresh the browser and it logs me back in without asking for a password.

I think there is a risk here, if users know this, and someone else's session is logged in, times out (but hasn't gone back to the log-in page), then the user in the know.. could re-log in as the currently/previously logged in user (in a shared office space for eg), and potentially do or see stuff that their own access level doesn't allow.

Of course, this is overcome with 2FA, but then it would have to be enforced which isn't necessarily ideal for all situations.

nhofkes

I would assume that if a session is timed out, then the user is actually logged out already at that time? So presumably the fact that you were logged in after pressing F5 suggests that the session had not yet timed out even though you suspected that it might have been too long.

In any event, it seems that the security risk is not so much with the refresh of the session, it is with the user who leaves the computer unattended and without logging out of the application.

syndeo

nhofkes after a time out and/or a logout, if you click the browser’s back button and and refresh, a new session is created and the user is logged in without requiring credentials.

syndeo

I have played around with java script and it is working.

When the login page is loaded - it checks for the username element.

You will need to add this to every logon page - .html and .jsp

If the element exits, then add a true flag to the browser’s local storage.

//check for username element and set local storage item to true
    if (document.getElementById('username')) {
        localStorage.setItem('UsernameExists', 'true');
    }

//clear username and password elements values. I'll explain why we need below.
    window.addEventListener('beforeunload', function(event) {
       document.getElementById('username').value="";
       document.getElementById('password').value="";
    });

in the startup.html file

You are adding script to check if a refresh has been performed and if the local storage item is true. IF they are both true, then it redirects user to the logon screen each time. This should work for time outs as well.

if (window.performance && window.performance.getEntriesByType) {
	const navigationEntries = window.performance.getEntriesByType('navigation');
	if (navigationEntries.length > 0) {
		const navigationType = navigationEntries[0].type;
    		if (navigationType === 'reload') {
      			// Perform actions specific to a page refresh
			console.log('This page was reloaded.');
				if (localStorage.getItem('UsernameExists') === 'true') {
			                window.location.replace("http(s)://server/AwareIM/logon.jsp?domain=yourdomain");
    		               }
		} 
// you can also include what happens if back button or forward button is clicked or if a natural navigation has occurred. this is not necessary for what I wanted to achieve, but have included it for completeness.
		else if (navigationType === 'navigate') {
      			console.log('This page was a fresh navigation.');
    		}
		else if (navigationType === 'back_forward') {
      			console.log('This page was accessed via back/forward buttons.');
    		} 
		else {
      			console.log('Navigation type:', navigationType);
    		}
  	}
} 
else {
	console.log('PerformanceNavigationTiming API not supported in this browser.'); //if the browser can't handle the command.
}

//need to set the local storage to false. This will allow the user to refresh as many times whilst logged into the app with no redirection.
if (localStorage.getItem('UsernameExists')  !== null) {
	
localStorage.setItem('UsernameExists','false'); 
}

when the user logs out/times out the local storage is set to true again. This is why it is important to add the code above to all login files.
if the user hits the back button and refreshes the browser, the refresh code is invoked and because the local storage is set to true, it navigates the user back the the logon page.

if the use hits the back button enough times, they will be taken back to their very first logon page, but this time the username and password fields will be populated. which is not ideal. that is why we need the
document.getElementById('username').value="";
document.getElementById('password').value="";

in the login files so that when the user navigates away from the login page, the field values are blanked out.

I’ve tested this on a a windows pc using edge and chrome.

syndeo

works on a android using chrome.

it doesn’t work on a iphone using safari. I suspect this is because of localstorage being blocked. investigating…

syndeo

after further testing this seems a bit clunky and not working on all browsers. So perhaps a more simple solution is to execute JavaScript in an AIM process you use to logout.
instead of

FIND SynstemUser WHERE SystemUser = LoggedInSystemUser Logout SystemUser DISPLAY URL 'http(s)://server/AwareIM/logon.jsp?domain=myDomain'

you simply do this

FIND SynstemUser WHERE SystemUser = LoggedInSystemUser Logout SystemUser EXEC_SCRIPT 'window.location.replace(http(s)://server/AwareIM/logon.jsp?domain=myDomain);'

//putting this here again as the script function removes the quotes need. make sure you use the correct quotes here “ ` ”
EXEC_SCRIPT ’window.location.replace(‘http(s)://server/AwareIM/logon.jsp?domain=myDomain’);'

this forces the browser to remove startup.html from the browser’s history so when you click back after a logout it simply takes you back to the original logon screen.

I have however found that with some browsers when you click back the user’s credentials are populated. so you will need some script in each logon page to clear the credentials when the user hits login.

//clear username and password elements values. window.addEventListener('beforeunload', function(event) { document.getElementById('username').value=""; document.getElementById('password').value=""; });

Would be great if others could test and let me know if it works