473,543 Members | 2,715 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to refresh login page after hitting back button results unwanted login

I'm not trying to prevent back button! So I'm looking for solution, not a patch.

How to prevent going backwards to login and then refreshing the page (thus resending the username and password of last user on the same computer) resulting a successfull login without knowing/typing in the credentials.

Little longer:
To make this simplier, say you only have 3 scripts: login.php, auth.php and page.php. In login.php you have a form asking for username and password. They're send to the auth.php and if they match, it'll show you the page.php content. If you log off when on page.php, you'll be end up back on login.php.

Now here's the problem: If after log out you'll keep going back (in borowser history or back button) long enough, it'll take you back where the un/pw was about to be sent to auth.php (sending method in this form is post). Since it was trying to send a form data (in this case un/pw) it'll tell you "Warning: Page has expired". If you hit F5 and choose retry, it'll resend whatever un/pw combination was tried earlier (since it's still stored in the form/post data) and will ultimately pass to page.php without typing in the un/pw again.

I've been trying to puzzle the sequence what must happen in the script and when in order to avoid such easy exploit. I have a decent security arsenal including sessions, crypted passwords, injection preventing, etc, but I don't get it how even the sessions would solve this, since that's when you're getting new session_id along with matched un/pw. For me it sounds like un/pw already typed in on some website and all you'd need to do is just hit enter to login. Like keys left in the car...

I must have missed something big time here! Any thoughts, links, solutions,...?
Nov 1 '10 #1
1 3731
code green
1,726 Recognized Expert Top Contributor
I think you need to take a look at
Expand|Select|Wrap|Line Numbers
  1. header("Location: page.php);
So do the DB process stuff, then call this function before any browser output.
Nov 2 '10 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

by: Dennis Allen | last post by:
Hi. On my online ordering form I use browser cookies to keep track of user items. My confirmation page reads: "If any of this information is incorrect, please go back to the order form and change it. We thank you for your patronage.". Question. At what point will I be able to delete my cookies? If I delete them before posting the...
by: VB Programmer | last post by:
I know some sites will display the following message if you click on the BACK button in your browser. How do I implement this feature? Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically...
by: James | last post by:
I'm getting the Warning: Page has Expired message when I hit the back button on my browser. I realize why this is happening, but ultimately this is going to severely annoy our client. Is there a *decent* workaround? Basically I have a DataGrid that has a bunch of checkboxes in it. These checkbxoes control a DataSet in Session memory and...
by: gferreri | last post by:
Hi all, I've stumbled on an interesting problem with the way Firefox handles form submitting with the enter key. I'm putting together a page that has one form element with multiple controls with their own textbox field and submit imagebuttons. I've set up each control in an asp:Panel with their DefaultButton property set to the proper...
by: ARAVIND999 | last post by:
by: jim.richardson | last post by:
Hi all, I'd like a page to be excluded from the back button history, that is, when a user hits their browser's back button, it never backs into this particular page. Can anybody please tell me how to do this? I thought perhaps there would be some kind of special meta tag that says something like "exclude me from browser's history", but...
by: Shalini Bhalla | last post by:
i am writing a script to logout , its woking fine but , Back button takes me back to the page even after logout ............ how to solve this problem ?
by: viswammamilla | last post by:
Hai i did one application ,its an intranet web application using asp.net and vb.net. Once user login into the application and did some task whenever user hits back button it will come back to one page like that so on upto login window,then when user hits the forward button directly user getting into that application without entering certain...
by: pulkit goel | last post by:
I am working on web application. I am facing a problem that when logout from my website i was redirected to my login page but when i click on back button of browser i was again able to access my web pages that should be visible after login. Please help me its very urgent
by: pulkit goel | last post by:
I am working on web application. I am facing a problem that when logout from my website i was redirected to my login page but when i click on back button of browser i was again able to access my web pages that should be visible after login. Please help me its very urgent i have this code Response.Buffer = True Response.Expires = 0...
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.