473,748 Members | 8,933 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

maintaining login status across page refreshes

hey guys,
on the main page of my site, i have a login area (user/pass text
boxes). when the user submits the form, the page is reloaded with with
a global php variable "loggedIn" set to true. i also store the
username and password in the page in a hidden form -- so that it can be
passed to other pages on the site through standard navigation
(maintaining the "loggedIn" status). however, is there any way to save
this information if the user hits refresh? as it stands, whenever the
user hits refresh, the user/pass data is lost, and loggedIn is set to
false. can this be worked around without using cookies? thanks!

Jul 23 '05 #1
4 2036
This is more of a PHP question than JavaScript. Take a look at PHP
sessions-- they do use cookies when they can, and don't when they
can't.

I'd say it's generally bad practice to have the password sent back and
forth so often, especially as the password might be cached by the
user's browser.

If you're not concerned about it (bad!), you might try having the
username and password as part of the URL
(mypage.php?use rname=Random&pa ssword=lost+hop e)

though that's far worse, I should think...

Jul 23 '05 #2
yeah, you're definitely right -- saving and passing around the password
is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do what
you're suggesting, and do something like: "mypage.php?use rname=random",
however, then anyone could impersonate somebody else, by simply typing
"?username=rand om" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any way
to grab that info when the page is refreshed. unless i'm missing
something?

Jul 23 '05 #3
The hidden form idea is still very easily forged.

What's to say I don't make a form, store it locally, and click a button
to impersonate someone?

<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersona te />
</form>

[File > Save As > C:\NameThief.ht ml]

See what I mean?

Check out PHP sessions. They'll take care of you.

But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the
browser should repeat the exact same HTTP request it used in the first
place. i.e. Same form data.

There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.

(if you're adamant, you could use an unload event handler that opens a
new window which monitors the main window for a return to your site and
auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)

P.S.
Did I mention PHP sessions?
lost hope wrote:
yeah, you're definitely right -- saving and passing around the password is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do what you're suggesting, and do something like: "mypage.php?use rname=random", however, then anyone could impersonate somebody else, by simply typing "?username=rand om" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any way to grab that info when the page is refreshed. unless i'm missing
something?


Jul 23 '05 #4
heh, ok, PHP sessions it will be! i was wondering if one could easily
circumvent the hidden form part, and it certainly seems to be the case.
i suppose it's time for a bit o' php research ;) thanks for the help!

Random wrote:
The hidden form idea is still very easily forged.

What's to say I don't make a form, store it locally, and click a button to impersonate someone?

<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersona te />
</form>

[File > Save As > C:\NameThief.ht ml]

See what I mean?

Check out PHP sessions. They'll take care of you.

But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the browser should repeat the exact same HTTP request it used in the first place. i.e. Same form data.

There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.

(if you're adamant, you could use an unload event handler that opens a new window which monitors the main window for a return to your site and auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)

P.S.
Did I mention PHP sessions?
lost hope wrote:
yeah, you're definitely right -- saving and passing around the

password
is a bad idea. after i've verified that their username/pass is valid (a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do

what
you're suggesting, and do something like:

"mypage.php?use rname=random",
however, then anyone could impersonate somebody else, by simply

typing
"?username=rand om" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any

way
to grab that info when the page is refreshed. unless i'm missing
something?


Jul 23 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
3438
by: XP | last post by:
I am having problems with the blow page. I have a login page where I enter the userid and password. This then connects to this page. If I enter the userid and password correctly, it prints successfully logged into system. If I enter the wrong information all I get is an erro page HTTP status 502 etc. Can anyone help? <?php
1
5509
by: Wayne Smith | last post by:
Applies to: Microsoft FrontPage 2000, Microsoft Access 2000, IIS 5.0 Operating System: Microsoft Windows 2000 Professional I am trying to protect a portion of a web site by allowing users to register a username and password & then login with those details, but so far I am having only marginal success. I am far from an expert on ASP programming, indeed the code I am using comes from "Sams Teach Yourself E-Commerce Programming with ASP" but it...
2
1173
by: Geoffrey Callaghan | last post by:
I have a set of variables in an ASP Page that are sent from another page using properties. This works fine. However, when I refresh that page, those properties are lost. How do I maintain those values between refreshes? I tried creating another set of properties, but that didn't work.
3
6223
by: satishknight | last post by:
Hi, Can some one tell me how to change the validation sequence for the code pasted below, actually what I want it when any one enters the wrong login information (already registered users) then it has to tell then them its wrong information but currently it takes then to a next page and then tells them its incorrect information. This is tedious as every time they enter wrong they will be redirected to a different page and then they have to...
5
1107
by: darrel | last post by:
This is an issue I brought up probably a year or so ago, got some advice, then was sidetracked on the project until now. So, here I am again. ;o) The situation is that we have an older chunk of code I've been tasked to maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago. It works. But we have one major issue and that's when people log in, maybe 5% of the time, the end up with someone elses credentials. There's...
5
3199
by: mcfly1204 | last post by:
I am attempting to use WebRequest to access a page that requires a login/password to access. My last WebRequest continues to timeout. Any help or thoughts would be appreciated. namespace FormsAuthTest { class Program { static void Main(string args) { HttpWebRequest request = null;
12
3066
by: tvnaidu | last post by:
I have Two kinds of web pagess, one is for control page for only admin login, another one is to view status for user login. initially both html files can view with 192.168.0.10/control.htm and other file is 192.168.0.10/status.htm. I searched on Internet and I got some login code. this login comes when I give 192.168.0.10, then I gets login page, I can login with admin/admin, also I can login with user/user, once login, the corresponding page...
21
3866
by: tvnaidu | last post by:
This is the Java script I am using fo rlogin page, but cursor not pointing to login box, any idea how can I point cursor to login box when this page loaded?. here admin login take to control page and user login take to status page, if I give direct path without goto login, both pages display, can I add a check if user didn't login, then redirect to login page for both control.htm and status.htm, let me know. thanks in advance. <script...
13
4173
by: Apostle | last post by:
Hi all, after thinking for sometimes, I thought it will be great opportunity to learn if I will start from scratch and build my own register/login system. Here is the thread that I will be posting the progress and I hope you guys will help me. The code below is what I have so far. Just put two scripts in the same directory and that is! I hope you will help me Thanks! class.php <?php //php login sytem class LoginRegister{ function...
0
9534
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9366
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9316
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9241
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
6073
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4867
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3303
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2777
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2211
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.