SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey Everyone,

    I built a PHP admin login script to maintain a back-end database. The script is tacked on to the beginng of any page that I want to protect. Bascially, when a user logs in successfully UserID is set and any succeding calls to the same script will bypass the login code becuase it has been set.


    I provided a logoff button that unsets UserID and destroys the session. This causes the login screen to appear again because UserID is gone now. This is fine. However, if I click the back button a couple of times, refresh the page, the browsers asks if I want to resend that data. If I click yes the login info is resubmitted using the values that the user submitted during the first login.

    Q: Is there a way to prevent this? I've tried setting the cache_delimeter, killing the session etc. About the only solution I found is to pop up the page, using java, in a window without the menu bar -- this prevents the "general" user from using the back buttons. If Logoff button is pressed then I unset the UserID and use <body onload...> to close the window.

  2. #2
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you get this sorted out?

    I've just tested out a content management script that I've written and I realise I have the same problem. The user can "log out" which destroys the session but can just hit the back button to reload restricted pages from cache

    Firstly I think that loging out manuallu is going to have to incude something to expire the session cookie. Secondly, I might need to put some javascript cookie detection in all scripts so that if the session cookie is not present they page redirects to the login page to stop it from being loaded from cache.

    Anyone got a nice solutioni?

    This thread would be better off in the PHP forum.

  3. #3
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Followup

    Nope, still can't figure out a way to do this without sticking the login screen in a java pop-up box with the back buttons turned off. It works, for my purposes I guess.

    Maybe something in the php.ini file might fix the problem.

    Anyone have a solution?

  4. #4
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    It sounds like you're relying on POST data in one page, and when the user goes back to a page that was the result of a POST, it asks them if they want the POST data sent again.

    Then the user is able to choose YES, and resend the login data, thus logging in again.

    I don't know of any http header to stop the browser resending POST information when the page is reloaded, but someone else might.

    If it were me, I'd change the code so it only posts the data at first login form, and the rest of the time the user info is only in the session variables, not forwarded by the browser using POST.

    However, even then if the user went back and reloaded the first page, it would resend the login details and log in again.

    You could include a client-side (javascript) that checks how long it was since the previous page loaded. Perhaps... Sorry that's a pretty far out idea... I have no ideas on how to implement that.

    Hopefully somebody has some http info on how to stop the browser from resending the POST data.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •