Hello people
I have the following problem
I have a private area in my site.
The user enters the username and password, then clicks "enter" and the
session is created and also a session variable is created and set to
true.
Every page of the private area, checks whether this session variable is
set to true and then if so, it gives you access, otherwise it redirects
to a noaccess page.
The user moves arround the private area, do whatever he/she has to do
and then logs out. Then the session is destroyed and the session
variable also.
Now if the user clicks the back button of the explorer, is redirected
to a noaccess page, fine, and so on as long as the user navigates back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.
I have set the page not to be cached, but it does not work,.....
Does anyonw how to solve this problem??
Thanks
8  1793 
Nacho wrote: Hello people
Hi Nacho,
I have the following problem
I have a private area in my site.
The user enters the username and password, then clicks "enter" and the
session is created and also a session variable is created and set to
true.
Every page of the private area, checks whether this session variable is
set to true and then if so, it gives you access, otherwise it redirects
to a noaccess page.
The user moves arround the private area, do whatever he/she has to do
and then logs out. Then the session is destroyed and the session
variable also.
So far ok.
Now if the user clicks the back button of the explorer, is redirected
to a noaccess page, fine, and so on as long as the user navigates back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.
???
I am not sure what you are describing.
If a validated user uses the BACK button (The button that creates the most
headaches for serversideprogr ammers), he is probably viewing cached pages.
If you disabled caching, maybe the browser makes a fresh request.
Now, if I have a var in my session like this:
$_SESSION["isAuthenticate d"] = "Y";
it will remain in the session untill YOU remove it, or the session ends.
The BACK-button has little to do with that.
Be sure you know what is going on.
Try this for debugging:
Start all your pages you are investigating with:
<pre>
<? pring_r($_SESSI ON) ?>
</pre>
(after body-tag)
Now with this small addition you can easily see what session-data is on
which page.
Great way to debug.
If you have a life-site and do not want to spit out geeky information into
your visitors face, just put HMTL-commenttags around it, and use the
view-source to view the data.
I have set the page not to be cached, but it does not work,.....
How?
In the browser or with extra headerinformati on?
Does anyonw how to solve this problem??
Soon you can yourself if you use the print_r debugging option. :-)
Regards,
Erwin Moller
Thanks
Erwin Moller wrote: Try this for debugging:
Start all your pages you are investigating with:
<pre>
<? pring_r($_SESSI ON) ?>
That should be:
<? print_r($_SESSI ON) ?>
</pre>
Regards,
Erwin Moller
Hi Erwin
First, thanks for reply
My english is not so good...
Anyway, lets take it from Now if the user clicks the back button of the explorer, is
redirected to a noaccess page, fine, and so on as long as the user navigates
back in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.
I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......th e
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.
I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...
This is more or less the code of these pages
logon.php *************** *************** *************** ***************
session start
//here I set the page not to be cached
header();
if(isset($passw ord) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticate d"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHT ML.html);
fotter();
exit();
}
}
//log on form
imports(logonHT ML.html);
fotter();
logon.php *************** *************** *************** ***************
ogonHTML.php
*************** *************** *************** ***************
<form>
password textbox
input button( action="")
</form>
ogonHTML.php
*************** *************** *************** ***************
Thanks anyway and I hope no to confuse you!!
Nacho wrote: Hi Erwin
Hi Nacho,
First, thanks for reply
My english is not so good...
It is not bad either.
I can easily understand. :-)
Your first posting was a bit vague, but now I understand your problem.
Anyway, lets take it from
> Now if the user clicks the back button of the explorer, is redirected > to a noaccess page, fine, and so on as long as the user navigates
back in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.
I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......th e
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.
OK, this is the real problem.
You are afraid a lot of private pages are cached into the browsers memory
that can be retrieved easily by pressing the BACK button.
This IS a real problem, and you cannot 100% solve it.
You can however, try to tell the browser NOT to chache it.
BUT, if the browser has a will of its own, or is simply configured to store
all pages on disk/cache, you have little or no control.
I would suggest that you google a bit around because the problem you
describe is a famous one.
Here is a nice place to start.
http://www.htmlgoodies.com/beyond/re...le.php/3472881
Remember however, YOU are not/never going to control the clientbrowser, and
everybody is free to build and release a browser that just ignores your
headers and WILL cache everything it wants untill 2050 and publish them in
a newspaper.
You are not controlling the browser. Period.
Once the browser received a response from the server, it is out of your
hands/control.
A lot of people can come up with tricks (in javascript maybe), but none will
be 100% secure.
So start with looking into the cachingproblem, make the best headers you can
come up with, and keep fingers crossed.
If that is not enough for you, you could add a few hurdles for people so the
simple BACK-button won't work.
One easy way is using AJAX to fill the page.
If somebody hits BACK, at least the page will be empty, because your
AJAX-scripts are configured to only respond if a valid session is found.
(Don't be afraid of AJAX, it is extremely simple. If you are interested,
this is a nice place to start: www.w3schools.com/ajax)
If security is a real concern of you, you might also want to look in the
secure sister of http, named https.
At least it transmits the data scrambled over the internet.
One last word on this: If you just want to block simple back-button access,
try one of the above suggestion. If you need real security, call in some
help from an experienced expert. Security is a very complex business.
Good luck.
Regards,
Erwin Moller
I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...
This is more or less the code of these pages
logon.php *************** *************** *************** ***************
session start
//here I set the page not to be cached
header();
if(isset($passw ord) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticate d"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHT ML.html);
fotter();
exit();
}
}
//log on form
imports(logonHT ML.html);
fotter();
logon.php *************** *************** *************** ***************
ogonHTML.php
*************** *************** *************** ***************
<form>
password textbox
input button( action="")
</form>
ogonHTML.php
*************** *************** *************** ***************
Thanks anyway and I hope no to confuse you!!
Nacho wrote: Hi Erwin
I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......th e
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.
I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...
This is more or less the code of these pages
logon.php *************** *************** *************** ***************
session start
//here I set the page not to be cached
header();
if(isset($passw ord) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticate d"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHT ML.html);
fotter();
exit();
}
}
//log on form
imports(logonHT ML.html);
fotter();
A couple of things:
1. Why cache the password? If isAuthenticated == 'Y', then there should
be no need for the password anymore. I can't think of a good reason to
ever move the password into a SESSION (from a POST or GET).
2. Add a timestamp to the login (i.e. $_SESSION['timestamp'] = time() )
and then test for both isAuthenticated and time() -
$_SESSION['timestamp'] < some limit. This causes your SESSION to
invalidate itself after a set period of time. Naturally, a valid user
needs to have the $_SESSION['timestamp'] updated on each page fetch so
that the SESSION will not go stale.
-david-
Thanks for all the advices. My page does not really requires security
but I want to implement it, and if it works perfect, much better!
I see that the problem I'm facing is tricky, and I will try it to solve
it using the right headers. AJAX will come later!, I'm really looking
forward to use, it is fantastic.
Well, have a good weekend :-)
Nacho
Thanks, I'm going to try playing with the time also. Tell you later
Ciao
On Fri, 2006-05-12 at 02:56 -0700, Nacho wrote: Hello people
I have the following problem
I have a private area in my site.
The user enters the username and password, then clicks "enter" and the
session is created and also a session variable is created and set to
true.
Every page of the private area, checks whether this session variable is
set to true and then if so, it gives you access, otherwise it redirects
to a noaccess page.
The user moves arround the private area, do whatever he/she has to do
and then logs out. Then the session is destroyed and the session
variable also.
Now if the user clicks the back button of the explorer, is redirected
to a noaccess page, fine, and so on as long as the user navigates back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.
I have set the page not to be cached, but it does not work,.....
Does anyonw how to solve this problem??
Thanks
As for the caching problem, Microsoft recommends using the Expires
header to prevent caching in IE:
<META HTTP-EQUIV="Expires" CONTENT="-1"> or
<?php header('Expires : -1');?>
Remember that you must use the php header tag prior to sending any
output to the browser.
Scott This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: |
last post by:
I have a problem with session in my version of PHP
I use WinXP (FAT32), Apache, latest PHP.
In Linux, Apache, latest PHP instead it works fine!
So, my program is:
----------------In Windows returns always NULL!---------------
<?php
session_start();
var_dump($_SESSION);
$_SESSION = 'value';
?>
|
by: Mimi |
last post by:
Hello,
I am having trouble using the session vars in
PHP 4.3.9
OS: Win XP Prof
Web Server IIS (is local and there are no links to other servers from
the web pages I work on)
Browser: IE 6.0
The problem I am having is that each time I reload the same PHP page, I get
|
by: Bartosz Wegrzyn |
last post by:
I need help with sessions.
I createt set of web site for nav with authorization.
first I go into main.php which looks like this:
<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;
|
by: Gary |
last post by:
I am having a strange problem that I cannot solve. I have an asp page that I use for a user to login and gain access to other pages. When the user logs in I set a couple of session variables like Session("UserType") = "Sales". Then based on the Session("UserType") I use response.redirect to take the user to a specific page. The logic and response.redirect works fine on a Win2k server but when I move the page to a server running Win2003 the...
|
by: Ashish |
last post by:
Incase the problem got bogged down reposting...
Hi Gregory,
I think I didnt make myself much clear. The problem is:
1. I have one ASP.NET application (no classic asp) and it has a main page
(i.e. kinda SDI main window)
that contains an IFrame.
2. I load different ASPX pages (that belong to the same ASP.NET project) in
| | |
by: Andrew |
last post by:
Hey all,
Working on revamping our Intranet here and making use of the LDPA, Active
Directory, Directory Services, etc. that .Net provides. I am still fairly
new on this subject, so the problem I have run into I am not sure how to
fix, and really not sure what is causing it.
Here's what is going on (test server - Windows 2003 Server):
I have a page in a folder (under anonymous authentication in IIS6) that has
a link on it that...
|
by: Johan Nedin |
last post by:
Hello!
I have a problem with SQLSession state on my ASP.NET pages.
SQLSession state behaves very different from InProcess session state,
which I think is very bad.
I can understand some of the differences, e.g that every object you
store in SQLSession state have to be serializable, but other
differences are very unfortunate.
|
by: Alexander Widera |
last post by:
hello all,
i have a problem ...
like I already discussed in the thread "session empty" I have the following
problem:
I created a completely new web...
i added 2 files:
sessiontest1.aspx:
|
by: Tom |
last post by:
I hope someone can help me figure out what's going on here. I've
re-read the section on sessions at php.net and Googled this high and
low but I haven't found anything that quite explains my problem.
The basic problem: session data (e.g. $_SESSION) gets
dropped after visitor logs in and reloads the page via a form once or
twice (it seems to vary), requiring the visitor to re-login, whereupon
the problem repeats itself.
An outline of...
|
by: fiefie.niles |
last post by:
I am having problem with thread. I have a Session class with public
string variable (called Message) that I set from my Main program. In
the session class it checks for the value of Message while inside it's
"read loop" waiting for data from the client. I find that many times
while inside the "read loop" it missed many of the value that was
assigned to the public Message variable.
For example, the main program send number 1 thru 100, but...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
