SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2002
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securely logging users out

    Users can currently log in and out of my site, but after logging out (and destroying the session used) someone can still browse back through the previous pages in the browser and refresh a page that had information submitted from a form. Obviously this means that whoever does this can get back into the site as someone else.

    Does anyone have any good tips to solve this, as well as tips in general about user management?

  2. #2
    SitePoint Guru
    Join Date
    Jan 2001
    Location
    Alkmaar, Netherlands
    Posts
    710
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1.<input type="password" name="password" autocomplete="off">

    2.When user logged out, set session values to empty, and destroy session

    3.Create sessionid yourself by using MD5 and time functions+user_id which would generate very unique session

    4.Keep session id in database when user logs in and empty it when he logs out. You should define inactivity period to force user to relogin.

    5.Keep user IP address when he logs in( not a good method though but still can be usefull when you need to track your users)

    Note: Hope you are keeping user passwords encrypted in your database

    My humble opinions after a long working day


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •