Talk:Broken Authentication and Session Management

From OWASP
Jump to: navigation, search

There´s a mistake in:

Browser Caching – Authentication and session data should never be submitted as part of a GET, POST should always be used instead. Authentication pages should be marked with all varieties of the no cache tag to prevent someone from using the back button in a user’s browser to backup to the login page and resubmit the previously typed in credentials. Many browsers now support the autocomplete=false flag to prevent storing of credentials in autocomplete caches.

The correct usage of the autocomplete attribute is: autocomplete="off".