My site will be used from publicly shared computers. What precautions must I take?
To quote the OWASP FAQ:
- You can make sure your pages do not get cached on the system by setting
the correct cache control directives.
- You could take care that no sensitive information is included in the URLs
since the history of the client browser will store these.
- Have a graphical keyboard for entering the password or ask the user to enter
a different part of the password each time. This protects the password
against keystroke loggers.
- To prevent sniffing of passwords and replay attacks using those, you should
either use SSL or salted MD5 for passwords. The clear text password in the
memory should be reset after computing the MD5.