They only have to do a refresh and since the username and password are resubmitted and revalidated, the attackers can login as the user.
Now let's assume the application has a login page which takes the user to an intermediate page for authentication.
Is it really required to redirect the user to a new page after login? Consider the application has a login page that sends the username and password as a POST request to the server.
If a user clicks refresh on the second page (the page after login), the same request including the username and password in the POST will be sent again.
Biography (provided by the speaker) Peter Anderson, a partner in Sutherland’s Litigation Practice Group, has practiced in the securities regulatory and enforcement arena for approximately 30 years.• Less than 20% of Haitians age 15 and over can read and write. • 40% of the Haitian population does not have access to primary health care.