java - Detect If User coming from another WebSite after login -
i working on spring mvc web application user has log-in access confidential data. far done stuck @ 1 point.
consider following scenario:
what happening now : user has logged in , has been redirected homepage. user clicks on address bar , type www.stackoverflow.com , once opened user hits back button of browser, since user's session active , hence allowed access data.
what should happen : when logged in user goes website , comes must login again.
- i have done r&d on handling browser history browser doesn't allow play history.
- i have tried handling in interceptor.
- i have tried using http referrer, doesn't tell me if user coming website browser uses same request used when user redirected after successful login , hence referrer returns me context/login referrer when user website.
now, out of ideas, please guide me achieve this.
thanks.
purpose of such odd requirement
user can whatever wants do, trying make sure if user forgets logout , somehow moves website within same tab, data must secure enough no 1 can see except himself
there's no way perfectly, considering browser's button isn't in way different performing normal request.
the remotely feasible way implemented in unreliable , overly complex way add javascript every page, , when leaving page check if page 1 of bank pages or external page. performing logout (or store token local storage or similar, indicate user has been somewhere else).
or better idea talk bank people , discuss actual threats , make sure system designed withstand owasp attacks.
do have security consultant or similar person in charge there? situation doesn't sound secure, , i'm surprised you're allowed work that, considering how regulated financial sector (at least in of countries know).
Comments
Post a Comment