Logout for password protected page

I have a password protected directory on my web site. It works great, however, if you do not clear the cash and you walk away, someone can get back to the protected directory/page just by hitting the back page arrow on the browser. Could anyone help me on how could I get some type of code, so when someone leaves the directory, they are actually logged out and need to use the password agin to get back in.

Your help is greatly appreciated!

The password file - pwd - is used by the server to restrict folders/files. But IMHO this technique is better for protecting folders that only you have access to. Cookies can work to some extent, but IMHO they are better used for trivial purposes like remembering user preferrences. They can be saved and hacked. What you should look into is PHP SESSIONS and storing data in a database to best guess the user’s state of activty. eg. Every time they go to another protected page, reset the “timeout” for the session. After a certain amount of time has passed, destroy the SESSION.

Your Network Solutions’ scheme don’t use any cookie.
And there is no such action on the server side, called “user leaves directory”.

That is the problem, if the user leaves anyone can hit the back button to get back to the protected page. User name and password is still in cash. I guess you need a mechanism, whereby once the protected directory is left, if you want to go back to the protected directory’s first page, you need to log in again.

PHP code can be written that requires a logout so the cookies get cleared, so if in fact someone wants to come back, they have to sign in again.

As HTTP is stateless, there is no such thing as “stay or leave directory”.
Actually browser leaves directory immediately after click on it.

And what if fair user hit back button? Enter password again?

Password protected directory has nothing to do with css.

this is css section.


[Mittineague] - This reply was moved from the thread in the CSS forum

That depends. How are you protecting it now?

I use Network Solutions’ scheme, they protect a directory and they add the two files .access.pwd and .htaccess But what good is it if you can backtrack?

As I suspected.
Actually, PHP has nothing to do with such type of authorization. It is between web server and browser.

That depends. How are you protecting it now?

OK, I really know nothing about PHP so everything is a huge help. Thanks for the explanation. Do you know any such code that would help me in the time out session?

There’s a (somewhat old - 2003) SitePoint article http://articles.sitepoint.com/print/users-php-sessions-mysql

You could take a look at that. It seems pretty good and there’s a link where you can download the example code files near the end of it. If you don’t understand some of the basics, it recommends reading another article first to get more background information http://articles.sitepoint.com/article/php-mysql-tutorial

If you have trouble with the articles, just ask for help. There’s lots of us here that will gladly do so.

The problem you have is that if they hit the back button they are not accessing the site at all so whether they are logged in or not is irrelevant. All the back button does if the page is cached is to display the cached copy of the page. The only way around that is to stop the page from being cached when it is one that is only available while the person is logged in.

Timing out the session doesn’t prevent someone from being able to view cached copies of web pages that required a session to load in the first place that are cached by the browser because no call to the server to check the session is made.

Mittineague, thanks for the links, I’ll look and I am sure I’ll be back as I know nothing about PHP. :confused: But I’ll try. :slight_smile:

Stephen, I follow what you are saying but then what is the solution? The solution would be to write some code, that clears the cach, once the protected directory is left by the user, right? Can that be done? And if yes, how? Is this the solution?

Thanks for all your help!

Just close and re open the browser :slight_smile:

That does not work. If you come back and open it again, it still keeps you logged in. :confused:

So you can login but you can never log out? Like forced remember me? Weird.

:lol: That would work as long as you’re standing over every visitor’s shoulder.

You can use PHP to send cache headers. AFAIK this will work for most browsers as their “history” object for the back button is the URL. But last I knew Opera uses the cached page (it doesn’t fetch it again unless you refresh) I don’t know how it works with no cache pages.

You can provide a highly visible logout button that will destroy() the SESSION and yes, you can ask them to close their browser when done. Then you can hope they do so.

I don’t think there’s a 100% gauranteed way to prevent all users from viewing a “back” page. But you can do everything possible. And you can take steps to prevent them from doing anything more than looking at that one page.

Authenticated visitors might become annoyed if they have to log in too often. But I think they would prefer doing that than having their session hijacked by the next person after them.

We still don’t have clarification of “password protected directory”. What does it contain? A php files? Html ones? Images? Some media files?
PHP can send any header, yes… that affect only PHP file itself.

Hi All,

Thanks for trying to figure this out! Hmm, I do not know but if I close Safari and come back, the page is still available without a password. So, closing, at least in the case of Safari, is no help either.

Shrapnel_N5 - there are only a few (3-5) HTML pages in the protected directory.