[OWASP-Security101] Don't understand OWASP 2010 A3 redirect after login

Uncle Bob testme47 at gmail.com
Fri Aug 17 21:15:55 UTC 2012

I got a report from a customer running an OWASP test against my
hand-written web app that it doesn't issue a 302 redirect after
successful login.  The customer sent me the description of this
problem included in whatever report he got, but I don't understand it.
 I tried putting in a 302 redirect after successful login, but I don't
see that it protects anything; for example, I thought that it might
prevent someone from logging in without knowing the username and
password by using "back" and "refresh" buttons in firefox after
logging out, but it does not protect against that.

Can someone explain this vulnerability better, tutorial style or with
a good example, so I can understand and determine whether my change to
the webapp login really protects against something that needs to be
protected against?  I'm not finding a good explanation on owasp.org
(if it's there, maybe all I need is for somebody to point me to the
right page).

Uncle Bob

More information about the Security101 mailing list