I'm still a novice when it comes to session security issues. The
problems I'm trying to solve may be fairly common, but I haven't seen
examples of solutions in any of the books I've looked at.
I currently have a page called 'login.php' which requires the user to
provide a userid/password combination. If the user logs in successfully
(i.e., the supplied userid/password combination is in the mysql
database), the user is directed to a page called 'user_view.php'. This
page contains a form which allows the user to update certain data for
their account, such as email address and telephone extension.
The owners of the site would like me to modify the site in the following
ways:
1. If a user, who has logged in successfully, navigates to another web
site within the same browser session, and then attempts to use the Back
button to return to the 'user_view.php' page within the same session,
they will be redirected back to 'login.php' and required to log in again.
2. If the 'user_view.php' page remains static (i.e., no user
interaction) for a fixed number of minutes (to be determined), the user
is also redirected back to the login page.
In both cases, the purpose is to guard against situations where there
may be multiple users on the same computer within the same browser session.
However, I've tested problem #1 with the web page for my credit union's
web site, and they don't seem to have addressed this issue. With my
credit union, if I log in successfully to my account information, I can
still browse to other web sites and then use the Back button to return
to my 'secure' account information. So I don't know how easy/hard it is
to solve problem #1.
I have a basic understanding of how to set session variables or cookies
when a user hits a particular page. However, I'm not clear on how I
would unset these variables or cookies if the user leaves the site
within the current browser session. I don't know if this is a common
problem or not.
Is there a way to set a cookie containing a value such as 'user_logged',
which expires when the user leaves the page? Can anyone point me to some
examples that address these issues? 6 2844
>I currently have a page called 'login.php' which requires the user to provide a userid/password combination. If the user logs in successfully (i.e., the supplied userid/password combination is in the mysql database), the user is directed to a page called 'user_view.php'. This page contains a form which allows the user to update certain data for their account, such as email address and telephone extension.
PHP is a server-side language. The changes you want
have more to do with the client side than the server.
The owners of the site would like me to modify the site in the following ways:
1. If a user, who has logged in successfully, navigates to another web site within the same browser session, and then attempts to use the Back button to return to the 'user_view.php' page within the same session, they will be redirected back to 'login.php' and required to log in again.
There are some ways to ask the browser not to cache a page (especially
one that is dynamic) in HTTP headers. This is more likely to be
successful if this is a https, not http, session. Once you leave
it, BACK won't take you back there without re-issuing the request
that created it (which the server can redirect).
It is also possible to use sessions and time out a session. If a
user comes back to user_view.php and the browser *DIDN'T* cache it
(if the browser DID cache it, the server won't see a request and
can't do a darned thing about it), but is re-issuing the request,
user_view.php can see that the session has expired and redirect it
back to login.php. Normally each page refreshes the session, so
if the user keeps clicking often, the session can stay open indefinitely,
but if the user goes away for, say, 5 minutes, the session ends.
For security, provide a "LOG OUT" button on every page in the
secure session. Of course, not all users will use it, but it's
still better than not having one.
2. If the 'user_view.php' page remains static (i.e., no user interaction) for a fixed number of minutes (to be determined), the user is also redirected back to the login page.
This is entirely a client-side issue. Some people try to
solve this issue with Javascript, which is Turned Off(tm).
I have a basic understanding of how to set session variables or cookies when a user hits a particular page. However, I'm not clear on how I would unset these variables or cookies if the user leaves the site within the current browser session. I don't know if this is a common problem or not.
Your server doesn't get told when the user leaves the site.
It's none of your business.
Is there a way to set a cookie containing a value such as 'user_logged', which expires when the user leaves the page?
Depending on how you define 'leaves the page', such a cookie may
*ALWAYS* expire, so there's no point in sending it in the first
place.
Gordon L. Burditt
bonehead <se**********@here.org> wrote in message news:<dt%Kc.3842$Qv4.875@lakeread03>... I'm still a novice when it comes to session security issues. The problems I'm trying to solve may be fairly common, but I haven't seen examples of solutions in any of the books I've looked at.
<snip>
<http://martin.f2o.org/php/login> and
<http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/>
might be the good start.
--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
While the city slept, bonehead (se**********@here.org) feverishly typed...
[login script] 1. If a user, who has logged in successfully, navigates to another web site within the same browser session, and then attempts to use the Back button to return to the 'user_view.php' page within the same session, they will be redirected back to 'login.php' and required to log in again.
Hmm... My first thought was http_referrer, but that is not reliable. My
second thought, which may be better, was to pass a value to the page from
the links within your secure area, eg. <a
href="securepage.php?insite=true"> - then check to see if "insite" is set to
"true" in your pages. If not, log them out and redirect to the login page.
Still not completely secure though...
2. If the 'user_view.php' page remains static (i.e., no user interaction) for a fixed number of minutes (to be determined), the user is also redirected back to the login page.
When you start your session, write the current time stamp to the session.
Write a second value to the session which is the limit in seconds (so, for 5
minutes, 5*60 = 300). When a new page is opened, check the session, get a
new current time stamp, and if that is greater than the session time stamp +
the time limit, then the session has timed out. Log the user out and
redirect to the login page. Otherwise, write the new current time stamp to
the session and carry on. This is off the top of my head as I remember doing
it (fairly recently, but sleep and Marstons Pedigree have both occurred
since then!)
Hope that helps,
Nige
--
Nigel Moss http://www.nigenet.org.uk
Mail address not valid. ni***@DOG.nigenet.org.uk, take the DOG. out!
In the land of the blind, the one-eyed man is very, very busy!
> <http://martin.f2o.org/php/login> and <http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/> might be the good start.
I was looking for a good secure login example and the example above
has popped up a few times on various sites. One site contained quite a
bit of criticism about the example above and even though this may be
an *angry* individual, I was wondering if anyone was aware of any
examples out there that are proven to be secure enough to implement on
a content management type website?
Cheers http://us2.php.net/reserved.variables
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will
set this, and some provide the ability to modify HTTP_REFERER as a
feature. In short, it cannot really be trusted.
This is a variable that you can check.
If the variable is NOT from your your domain? You could flip your
switches, re-reoute the user to the login or whatever you wanted...
Just build a simple URL parser and find out what domain... Be aware
you should check for MULTIPLE domains. I have seen stuff similar to: http://www.domain.com/blahblahblah.......blahblahblah
Hope that helps...
On Tue, 20 Jul 2004 08:39:01 -0700, Brian Scott O'keefe wrote: http://us2.php.net/reserved.variables
'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
This is a variable that you can check. If the variable is NOT from your your domain? You could flip your switches, re-reoute the user to the login or whatever you wanted... Just build a simple URL parser and find out what domain... Be aware you should check for MULTIPLE domains. I have seen stuff similar to: http://www.domain.com/blahblahblah.......blahblahblah
Hope that helps...
The referrer can _NOT_ be used in a reliable fashion for _anything_. What
happens when I send 'Referrer modded by Ian' rather than anything you
might be expecting? And before you say "you're an idiot for doing that"..
sure, I'm unlikely to spend my time doing something like that, but some
windoze "firewalls" block referrers.. or many other applications can
modify / block referrer headers, so they're pretty much null&void.
Regards,
Ian
--
Ian.H
digiServ Network
London, UK http://digiserv.net/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Pack Fan |
last post by:
I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk...
|
by: Scott Wickham |
last post by:
I'm having a problem saving session information on one form and retrieving it
on a subsequent form...for only one out of a number of users. Actually, I'm
not absolutely certain it's a session...
|
by: Marcus |
last post by:
Hello,
Currently all of my php pages use SSL, not just my initial login.
Originally I thought this would be more secure, but after thinking about
things and looking at sites like Amazon and...
|
by: Paul Yanzick |
last post by:
Hello,
I am trying to develop a book tracking application for my capstone in
school, and am running into a problem.
The application is an ASP.Net application written in C#. The first page you...
|
by: Ĺženol Akbulak |
last post by:
Hello;
I use in my web application FormsAuthentication. Also I use Session state
(InProc).
When a user logged in, I can read Session parameters. (For example
Session). Problem is that, when...
|
by: Adrian Parker |
last post by:
We have a website that works everywhere but on a few PCs on this one site..
Asp.Net 1.1
Server = Windows 2003
Client = XP
In the web.config we use - cookieless="false"
in the browser settings...
|
by: |
last post by:
Simple question, I think...
I'm storing an object in the Session object.
In the code behind I read that object: trx = CType(Session("Transaction"), BOCSTransaction)
If I change any...
|
by: Bhagya |
last post by:
Hello,
On the LogOut Page i have done Session.Abandon();
And on every Page, In the Page_Load Event i check if the session exists
and only then display data.
Now the problem is after i logout from...
|
by: davidkoree |
last post by:
I mean not about cookie.
Does it have something to do with operating system or browser plugin?
I appreciate any help.
|
by: Samir Chouaieb |
last post by:
Hello,
I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.
I have one main domain with the user data and several other domains that
need...
|
by: ryjfgjl |
last post by:
ExcelToDatabase: batch import excel into database automatically...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: af34tf |
last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
| |