Forum Discussion

2funky_105078's avatar
Sep 07, 2016

ASM - OWASP - Is it really required to redirect the user to a new page after login?

Reading this FAQ i am a bit confused:

 

https://www.owasp.org/index.php/OWASP_Application_Security_FAQIs_it_really_required_to_redirect_the_user_to_a_new_page_after_login.3F

 

Can i just not go back to the first page with username+password and re-submit them? What is the added value of this redirection?

 

1 Reply

  • The point of the redirection is that the user's browser caches the token (which expires) rather than the username and password. So if an attacker tries to reauthenticate by refreshing the browser the browser sends the token, not the username and password, resulting in a failed login. The login page itself should not be coded to cache the username and password, so navigating back to the first page should present a blank login, not a login page prefilled and ready to resubmit.