473,698 Members | 2,932 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

maintaining login status across page refreshes

hey guys,
on the main page of my site, i have a login area (user/pass text
boxes). when the user submits the form, the page is reloaded with with
a global php variable "loggedIn" set to true. i also store the
username and password in the page in a hidden form -- so that it can be
passed to other pages on the site through standard navigation
(maintaining the "loggedIn" status). however, is there any way to save
this information if the user hits refresh? as it stands, whenever the
user hits refresh, the user/pass data is lost, and loggedIn is set to
false. can this be worked around without using cookies? thanks!

Jul 23 '05 #1
4 2031
This is more of a PHP question than JavaScript. Take a look at PHP
sessions-- they do use cookies when they can, and don't when they
can't.

I'd say it's generally bad practice to have the password sent back and
forth so often, especially as the password might be cached by the
user's browser.

If you're not concerned about it (bad!), you might try having the
username and password as part of the URL
(mypage.php?use rname=Random&pa ssword=lost+hop e)

though that's far worse, I should think...

Jul 23 '05 #2
yeah, you're definitely right -- saving and passing around the password
is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do what
you're suggesting, and do something like: "mypage.php?use rname=random",
however, then anyone could impersonate somebody else, by simply typing
"?username=rand om" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any way
to grab that info when the page is refreshed. unless i'm missing
something?

Jul 23 '05 #3
The hidden form idea is still very easily forged.

What's to say I don't make a form, store it locally, and click a button
to impersonate someone?

<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersona te />
</form>

[File > Save As > C:\NameThief.ht ml]

See what I mean?

Check out PHP sessions. They'll take care of you.

But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the
browser should repeat the exact same HTTP request it used in the first
place. i.e. Same form data.

There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.

(if you're adamant, you could use an unload event handler that opens a
new window which monitors the main window for a return to your site and
auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)

P.S.
Did I mention PHP sessions?
lost hope wrote:
yeah, you're definitely right -- saving and passing around the password is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do what you're suggesting, and do something like: "mypage.php?use rname=random", however, then anyone could impersonate somebody else, by simply typing "?username=rand om" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any way to grab that info when the page is refreshed. unless i'm missing
something?


Jul 23 '05 #4
heh, ok, PHP sessions it will be! i was wondering if one could easily
circumvent the hidden form part, and it certainly seems to be the case.
i suppose it's time for a bit o' php research ;) thanks for the help!

Random wrote:
The hidden form idea is still very easily forged.

What's to say I don't make a form, store it locally, and click a button to impersonate someone?

<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersona te />
</form>

[File > Save As > C:\NameThief.ht ml]

See what I mean?

Check out PHP sessions. They'll take care of you.

But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the browser should repeat the exact same HTTP request it used in the first place. i.e. Same form data.

There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.

(if you're adamant, you could use an unload event handler that opens a new window which monitors the main window for a return to your site and auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)

P.S.
Did I mention PHP sessions?
lost hope wrote:
yeah, you're definitely right -- saving and passing around the

password
is a bad idea. after i've verified that their username/pass is valid (a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do

what
you're suggesting, and do something like:

"mypage.php?use rname=random",
however, then anyone could impersonate somebody else, by simply

typing
"?username=rand om" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any

way
to grab that info when the page is refreshed. unless i'm missing
something?


Jul 23 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
3437
by: XP | last post by:
I am having problems with the blow page. I have a login page where I enter the userid and password. This then connects to this page. If I enter the userid and password correctly, it prints successfully logged into system. If I enter the wrong information all I get is an erro page HTTP status 502 etc. Can anyone help? <?php
1
5502
by: Wayne Smith | last post by:
Applies to: Microsoft FrontPage 2000, Microsoft Access 2000, IIS 5.0 Operating System: Microsoft Windows 2000 Professional I am trying to protect a portion of a web site by allowing users to register a username and password & then login with those details, but so far I am having only marginal success. I am far from an expert on ASP programming, indeed the code I am using comes from "Sams Teach Yourself E-Commerce Programming with ASP" but it...
2
1171
by: Geoffrey Callaghan | last post by:
I have a set of variables in an ASP Page that are sent from another page using properties. This works fine. However, when I refresh that page, those properties are lost. How do I maintain those values between refreshes? I tried creating another set of properties, but that didn't work.
3
6221
by: satishknight | last post by:
Hi, Can some one tell me how to change the validation sequence for the code pasted below, actually what I want it when any one enters the wrong login information (already registered users) then it has to tell then them its wrong information but currently it takes then to a next page and then tells them its incorrect information. This is tedious as every time they enter wrong they will be redirected to a different page and then they have to...
5
1103
by: darrel | last post by:
This is an issue I brought up probably a year or so ago, got some advice, then was sidetracked on the project until now. So, here I am again. ;o) The situation is that we have an older chunk of code I've been tasked to maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago. It works. But we have one major issue and that's when people log in, maybe 5% of the time, the end up with someone elses credentials. There's...
5
3195
by: mcfly1204 | last post by:
I am attempting to use WebRequest to access a page that requires a login/password to access. My last WebRequest continues to timeout. Any help or thoughts would be appreciated. namespace FormsAuthTest { class Program { static void Main(string args) { HttpWebRequest request = null;
12
3061
by: tvnaidu | last post by:
I have Two kinds of web pagess, one is for control page for only admin login, another one is to view status for user login. initially both html files can view with 192.168.0.10/control.htm and other file is 192.168.0.10/status.htm. I searched on Internet and I got some login code. this login comes when I give 192.168.0.10, then I gets login page, I can login with admin/admin, also I can login with user/user, once login, the corresponding page...
21
3857
by: tvnaidu | last post by:
This is the Java script I am using fo rlogin page, but cursor not pointing to login box, any idea how can I point cursor to login box when this page loaded?. here admin login take to control page and user login take to status page, if I give direct path without goto login, both pages display, can I add a check if user didn't login, then redirect to login page for both control.htm and status.htm, let me know. thanks in advance. <script...
13
4167
by: Apostle | last post by:
Hi all, after thinking for sometimes, I thought it will be great opportunity to learn if I will start from scratch and build my own register/login system. Here is the thread that I will be posting the progress and I hope you guys will help me. The code below is what I have so far. Just put two scripts in the same directory and that is! I hope you will help me Thanks! class.php <?php //php login sytem class LoginRegister{ function...
0
8683
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8611
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
8904
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
7741
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6531
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5867
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4624
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3052
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
2007
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.