I’m implementing an iAuth form for a credit application in a J2EE container (JSTL+JSP+Stripes). The vendor states in the implementation guide:
Expire the “Questions” page after answers submission
When performing iAuth transactions you will need to “expire” the page on which the consumer’s questions will be displayed after they have submitted their answers. This is crucial in order to prevent a consumer from using the “back” button to modify their answers after they have already submitted them once and found that their authentication attempt was unsuccessful. Once the answers to a question set have been transmitted to vendor, that question session is closed. Any additional attempts at modifying the answers to the same question set will result in an “invalid transaction-continue” response.
I am unsure what this means.
Are “they” suggesting just setting “Cache-Control” and/or “Pragma” headers on the form page?
Well you can use HTTP related techniques to expire pages. But those methods are rather what I consider “soft” techniques.
To better secure your system, you may want to follow this kind of server-side implementation:
Page A refers to the page that goes to the Form Page and Page B is the controller which receives the information posted by Form Page.
Aand sets it totrueAAOf course it can be even more complex with time checking (whether the User took too long from Page A to Form B, or took merely a second to submit Form Page to Page B).
When it comes to security in networking: Server side > Client Side