Bank-style Navigation Restrictions

Question

Some web applications, banking websites in particular, prevent you from using the browser\'s navigation buttons, opening links in new tabs or even refreshing the page. Ofte

Answer 1

From javascript you can detect a new window by checking the length of the history.

You can capture a backbutton event by injecting an iframe in your page, pointing to (e.g.) http://www.example.com/cacheable_blank_page.html then changing it's location to http://www.example.com/cacheable_blank_page.html#offset. When the user clicks on the back button, the iframe reverts to it's original location. If you attach an event handler to this then you can detect the back button and handle the situation appropriately.

There's some code to do that here.

Ultimately the problem that peolpe usually use this for is that their server-side code is poorly written and is innappropriately storing transaction related data in the session and/or overusing PRG patterns - ultimately this is a nasty hack intended to pre-empt problems rather than a solution to the root cause of the problem.

SilverlighFox's token based solution is great for CSRF but does not solve the problem of poor state management on the server.