tags:

views:

41

answers:

3
Q: 

user can log back in in IE after logging out by hitting back button

I am using a PHP login script that challenges user for username & password.

Once authenticated program stores a session value. On logout, session value is set to blanks.

Here is the problem:

In IE 8 (not Firefox), user can hit back button a few times until the screen which shows "Web Page has expired" message. This is likely the login screen.

If he presses F5, it looks like username and password are still hanging around in POST variables and he gets logged back in.

A: 

It sounds like you are not actually deleting the session on the server, rather you are clearing the sessionID in the URL (or something) on the client. So when the backbutton is pressed it tries to resubmit the sessionid is passed along and your server is accepting it.

OR

The pages are just being cached by the client and when they press back, it loads from the cache. When they force the refresh, it reloads the page without the variables.

webdestroya  2010-07-27 21:46:53
No sessionID in URL. I think login page is cached with values. When they press F5 it re-submits username header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); header("Pragma: public"); session_start();
TMP file guy  2010-07-27 21:50:37
That is possible, but generally I think the browser will say "Warning: You are resubmitting form variables" or something like that.
webdestroya  2010-07-27 22:12:08
A: 

You are going to need to do a session based verifier to fix this. You pass to your login form a hidden field with random verifier string. Store the random string in session and use the reposted hidden field to verify against this identifier. After confirming login regenerate the verifier so next time the form is posted the verifier is incorrect and the back button post doesn't work.

Jonathan Park  2010-07-27 21:49:03
A: 

after you post your login form and verify/login/everything, do a header('location:someOtherPage.php) redirect to another page. Then the form will not be able to be re-posted by pressing f5. For example:

//login.php
<?php
//no cache headers if you want.
session_start();
if(isset($_POST) && !empty($_POST)){
    //validate user & pass. if valid set session then...
    if(is_valid_user()){
        //set session
        $_SESSION['loggedIn'] = true;
        //close session. this prevents problems with vars not
        //setting when using a header redirect because you redirect
        //before the session file can write.
        session_write_close();
        //redirect to another page
        header('location:loggedIn.php');
        //stop the script from running
        exit;
    } else {
        echo "<div class='error'>Login failed.</div>";
    } 
}
//echo login form.

?>

a header redirect doesn't show up in the history so when pressing back they will not see the page that allows you to repost the form.

Jonathan Kuhn  2010-07-27 22:58:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases