I have an issue in an ODC app with user being able to access sensitive data by pressing the back button on the browser. The app uses an external idp and after logging out the user can just press the back-button on the browser and still be able to see the data on the screen, which, understandably causes security issues. I have an additional check if the user is logged in, in the OnReady of all the screens to prevent this and it works fine if the user is logged in with the built-in authentication, but with an external idp in use, the OnReady (nor OnInit or OnRender) does not get triggered if the user presses back after logout.
How can I prevent the user from accessing this data?
I have tried to disable the back-button functionality from the logout redirect page (which doesn't really fix the issue), didn't really work.
I have tried to add headers and cookies (in script and in OnInit and to the headers and with tags in the ) to prevent caching of the page but with no luck.
For anyone struggling with the same issue, I came up with a workaround; the SSOlogout triggers an event which empties/hides all sensitive data from screen, before moving on to the actual logout. This way if the user clicks back on their browser after logout the page displayed doesn't have sensitive data on display and if they click anything else on the screen the built-in checks kick in and a security exception is raised.
Thanks @JenniS for the workaround. I would suggest you to raise a Support ticket with OutSystems and if it is indeed a problem they will fix it.
A ticket has been raised with Support.
@JenniS ,
hallo
I think you need to raise a support ticket with OutSystems. However, as a quick solution, when you retrieve data and find that the user ID is null, you should raise a security exception to prevent the user from completing the process
Hello,
I did raise a ticket with OutSystems and hopefully they'll have a look at this issue in more depth.
The issue here is that no data is re-fetched or any events triggered, so I could check whether the user is logged in or not, when the user presses the back-button after logout when using an external idp, neither does the built-in check trigger here. Based on my testing and understanding the page is showed completely from the browsers cache at that point.
i will test it today and share the result once find it
step 1 => i create page 1 retrieve data as image for with Anamoose access
step 2 => create empty page 2 with Anamoose access
Simulation
open page 1 ( tab 1 )
open page 1 from other tab ( tab 2 )
from page 1 click page 2 ( tab 1 )
from ( tab 1 ) logout
from page 2 back to page 1
in case data is relived from cashes will not raise exception
what happen raise exception so the action is run
The key here is that an external idp is in use in this odc app. Your steps don't show whether you were using an external idp or not. But the recreate steps would be:
1. Create screen1 only accessible by authenticated users (external idp) where data is fetched at start and display data on screen
2. Log in to the app with the external idp and navigate to screen1
3. Logout user (using the external idp)
4. Once back in the app (on the after logout page) press back on the browser.