注销用户访问单个Web应用程序页面
[英]Logging a user out for a single web application page
问题描述
This is an extension of my earlier XSS question . 
这是我先前的XSS问题的扩展。
Assuming that there isn't a Regex strong enough to guarantee XSS saftey for user entered URLs I'm looking at using a redirect. 假设没有足够强大的正则表达式来保证XSS在用户输入的URL中使用安全,我正在使用重定向。
(Although if you do have one please add it under the other question) (尽管如果您有一个,请在另一个问题下添加它)
We have user input web addresses, so: 我们有用户输入的网址,因此:
stackoverflow.com
They want a link to appear for other users, so: 他们希望链接显示给其他用户,因此:
<a href="http://stackoverflow.com">stackoverflow.com</a>
To reduce the risk of hacking I'm planning to use a warning page, so the link becomes: 为了减少被黑客入侵的风险,我打算使用警告页面,因此该链接变为:
<a href="leavingSite.aspx?linkid=1234" target="_blank">stackoverflow.com</a>
Then on that page there will be a warning message and a plain link to the original link: 然后在该页面上将显示一条警告消息和一个指向原始链接的普通链接:
<a href="javascript:alert('oh noes! xss!');">Following this link at your own risk!</a>
As we use a lot of Ajax I want to make that leaving-site page a walled garden of sorts, ideally by essentially logging the user out in that page only. 由于我们使用了大量的Ajax,因此我希望使离开站点页面成为各种围墙花园,理想情况下,实际上是仅从该页面注销用户。 I want them to stay logged in on the original page. 我希望他们保持登录状态。
Then if someone does get past the santisation Regex they can't access anything as the duped user. 然后,如果某人确实越过了正则表达式Regex,他们将无法作为受骗用户访问任何内容。
Anyone know how to do this? 有人知道怎么做吗? Is it possible to log out one window/tab without logging them all out? 是否可以注销一个窗口/选项卡而不将其全部注销? We support IE & FX, but ideally a solution would work in Opera/Chrome/Safari too. 我们支持IE&FX,但理想情况下,一种解决方案也可以在Opera / Chrome / Safari中使用。
2 个解决方案
解决方案1
1 2008-10-17 12:37:04
仅在一个选项卡/窗口中注销某人是不可能的。
解决方案2
0 2008-10-17 13:05:10
将Cookie限制为www.example.com,并在links.example.com上具有转发页面
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.