By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,053 Members | 939 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,053 IT Pros & Developers. It's quick & easy.

Problem with a session

P: n/a
Hello people

I have the following problem

I have a private area in my site.
The user enters the username and password, then clicks "enter" and the
session is created and also a session variable is created and set to
true.
Every page of the private area, checks whether this session variable is
set to true and then if so, it gives you access, otherwise it redirects
to a noaccess page.
The user moves arround the private area, do whatever he/she has to do
and then logs out. Then the session is destroyed and the session
variable also.

Now if the user clicks the back button of the explorer, is redirected
to a noaccess page, fine, and so on as long as the user navigates back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.

I have set the page not to be cached, but it does not work,.....

Does anyonw how to solve this problem??

Thanks

May 12 '06 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Nacho wrote:
Hello people
Hi Nacho,

I have the following problem

I have a private area in my site.
The user enters the username and password, then clicks "enter" and the
session is created and also a session variable is created and set to
true.
Every page of the private area, checks whether this session variable is
set to true and then if so, it gives you access, otherwise it redirects
to a noaccess page.
The user moves arround the private area, do whatever he/she has to do
and then logs out. Then the session is destroyed and the session
variable also.
So far ok.

Now if the user clicks the back button of the explorer, is redirected
to a noaccess page, fine, and so on as long as the user navigates back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.
???
I am not sure what you are describing.
If a validated user uses the BACK button (The button that creates the most
headaches for serversideprogrammers), he is probably viewing cached pages.
If you disabled caching, maybe the browser makes a fresh request.

Now, if I have a var in my session like this:
$_SESSION["isAuthenticated"] = "Y";
it will remain in the session untill YOU remove it, or the session ends.
The BACK-button has little to do with that.

Be sure you know what is going on.

Try this for debugging:
Start all your pages you are investigating with:
<pre>
<? pring_r($_SESSION) ?>
</pre>

(after body-tag)

Now with this small addition you can easily see what session-data is on
which page.

Great way to debug.
If you have a life-site and do not want to spit out geeky information into
your visitors face, just put HMTL-commenttags around it, and use the
view-source to view the data.

I have set the page not to be cached, but it does not work,.....
How?
In the browser or with extra headerinformation?


Does anyonw how to solve this problem??

Soon you can yourself if you use the print_r debugging option. :-)

Regards,
Erwin Moller
Thanks


May 12 '06 #2

P: n/a
Erwin Moller wrote:
Try this for debugging:
Start all your pages you are investigating with:
<pre>
<? pring_r($_SESSION) ?>
That should be:
<? print_r($_SESSION) ?>
</pre>

Regards,
Erwin Moller
May 12 '06 #3

P: n/a
Hi Erwin

First, thanks for reply
My english is not so good...

Anyway, lets take it from

Now if the user clicks the back button of the explorer, is redirected to a noaccess page, fine, and so on as long as the user navigates back in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.


I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......the
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.

I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...

This is more or less the code of these pages

logon.php ************************************************** **********

session start

//here I set the page not to be cached
header();

if(isset($password) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticated"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHTML.html);
fotter();
exit();
}
}

//log on form
imports(logonHTML.html);
fotter();

logon.php ************************************************** **********
ogonHTML.php
************************************************** **********

<form>
password textbox
input button( action="")
</form>

ogonHTML.php
************************************************** **********
Thanks anyway and I hope no to confuse you!!

May 12 '06 #4

P: n/a
Nacho wrote:
Hi Erwin
Hi Nacho,

First, thanks for reply
My english is not so good...
It is not bad either.
I can easily understand. :-)
Your first posting was a bit vague, but now I understand your problem.

Anyway, lets take it from

> Now if the user clicks the back button of the explorer, is redirected
> to a noaccess page, fine, and so on as long as the user navigates

back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.


I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......the
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.


OK, this is the real problem.
You are afraid a lot of private pages are cached into the browsers memory
that can be retrieved easily by pressing the BACK button.

This IS a real problem, and you cannot 100% solve it.
You can however, try to tell the browser NOT to chache it.
BUT, if the browser has a will of its own, or is simply configured to store
all pages on disk/cache, you have little or no control.

I would suggest that you google a bit around because the problem you
describe is a famous one.

Here is a nice place to start.
http://www.htmlgoodies.com/beyond/re...le.php/3472881

Remember however, YOU are not/never going to control the clientbrowser, and
everybody is free to build and release a browser that just ignores your
headers and WILL cache everything it wants untill 2050 and publish them in
a newspaper.
You are not controlling the browser. Period.
Once the browser received a response from the server, it is out of your
hands/control.
A lot of people can come up with tricks (in javascript maybe), but none will
be 100% secure.

So start with looking into the cachingproblem, make the best headers you can
come up with, and keep fingers crossed.

If that is not enough for you, you could add a few hurdles for people so the
simple BACK-button won't work.
One easy way is using AJAX to fill the page.
If somebody hits BACK, at least the page will be empty, because your
AJAX-scripts are configured to only respond if a valid session is found.
(Don't be afraid of AJAX, it is extremely simple. If you are interested,
this is a nice place to start: www.w3schools.com/ajax)

If security is a real concern of you, you might also want to look in the
secure sister of http, named https.
At least it transmits the data scrambled over the internet.

One last word on this: If you just want to block simple back-button access,
try one of the above suggestion. If you need real security, call in some
help from an experienced expert. Security is a very complex business.

Good luck.
Regards,
Erwin Moller

I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...

This is more or less the code of these pages

logon.php ************************************************** **********

session start

//here I set the page not to be cached
header();

if(isset($password) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticated"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHTML.html);
fotter();
exit();
}
}

//log on form
imports(logonHTML.html);
fotter();

logon.php ************************************************** **********
ogonHTML.php
************************************************** **********

<form>
password textbox
input button( action="")
</form>

ogonHTML.php
************************************************** **********
Thanks anyway and I hope no to confuse you!!


May 12 '06 #5

P: n/a
Nacho wrote:
Hi Erwin
I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......the
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.

I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...

This is more or less the code of these pages

logon.php ************************************************** **********

session start

//here I set the page not to be cached
header();

if(isset($password) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticated"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHTML.html);
fotter();
exit();
}
}

//log on form
imports(logonHTML.html);
fotter();


A couple of things:

1. Why cache the password? If isAuthenticated == 'Y', then there should
be no need for the password anymore. I can't think of a good reason to
ever move the password into a SESSION (from a POST or GET).

2. Add a timestamp to the login (i.e. $_SESSION['timestamp'] = time() )
and then test for both isAuthenticated and time() -
$_SESSION['timestamp'] < some limit. This causes your SESSION to
invalidate itself after a set period of time. Naturally, a valid user
needs to have the $_SESSION['timestamp'] updated on each page fetch so
that the SESSION will not go stale.

-david-

May 12 '06 #6

P: n/a
Thanks for all the advices. My page does not really requires security
but I want to implement it, and if it works perfect, much better!
I see that the problem I'm facing is tricky, and I will try it to solve
it using the right headers. AJAX will come later!, I'm really looking
forward to use, it is fantastic.

Well, have a good weekend :-)

Nacho

May 12 '06 #7

P: n/a
Thanks, I'm going to try playing with the time also. Tell you later

Ciao

May 12 '06 #8

P: n/a
On Fri, 2006-05-12 at 02:56 -0700, Nacho wrote:
Hello people

I have the following problem

I have a private area in my site.
The user enters the username and password, then clicks "enter" and the
session is created and also a session variable is created and set to
true.
Every page of the private area, checks whether this session variable is
set to true and then if so, it gives you access, otherwise it redirects
to a noaccess page.
The user moves arround the private area, do whatever he/she has to do
and then logs out. Then the session is destroyed and the session
variable also.

Now if the user clicks the back button of the explorer, is redirected
to a noaccess page, fine, and so on as long as the user navigates back
in the session, but when the user gets to the log on page, it recovers
the POSTDATA and sets againg the session variable to true and anyone
can see then the private area.

I have set the page not to be cached, but it does not work,.....

Does anyonw how to solve this problem??

Thanks


As for the caching problem, Microsoft recommends using the Expires
header to prevent caching in IE:

<META HTTP-EQUIV="Expires" CONTENT="-1"> or
<?php header('Expires: -1');?>

Remember that you must use the php header tag prior to sending any
output to the browser.

Scott

May 12 '06 #9

This discussion thread is closed

Replies have been disabled for this discussion.