I have a small query. Suppose you have a very secured site. Now after the user has logged in, the user copies the URL from the address bar of the browser. Then in the same browser window user opens another site (google.com). Now the user pastes the copied URL in the address bar . Here the request is bypassing the login page and the user sees the first page of the application. How can this be avoided. A classic example is some banking website, for example www.icicibank.com. On this website the above situation does not arrise as ( i guess ) each and every request is being authenticated by the web application.
Where exactly do you see the problem? A request is made to a site where the user is authenticated already. The authentication info is passed along with the request (probably either a cookie or an HTTP authentication header). Usually in these circumstances the server will remember when the last access happened, and require re-login if the time passed since then is too long (say, half an hour). Whether the browser was used to access some other site in between doesn't really matter.
On this website the above situation does not arrise as ( i guess )
Do you mean JavaRanch? It works just the same here - have a look at the cookies stored on your system for saloon.javaranch.com. You can even close the browser, and still don't need to re-login the next day. [ April 11, 2006: Message edited by: Ulf Dittmer ]
I know that once the user is authenticated, the user can not enter only when the session is invalidated. But i want my requests to be comming from my pages only. If u have used the www.icicibank, then u ll come to know what i exactly mean. If the user leaves my site then they ll have to relogin to access the web app, even if the session is still valid.
You could examine the REFERER HTTP header, to see if it contains an URL from your site. That header can be manipulated on the client, of course, but it makes it harder to access pages on your site coming from somewhere else.