473,396 Members | 1,666 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > logging out of a ssl / https:// site using php? (or js?), client side cache

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache

scubak1w1
Hello,

I have a series of web sites which use https:// authentication (using AD
integration to 'check the credentials' as it were) - all seems to be working
well...

I have been Googling et al. for a way to log the user off the site
"fully"...

I can do a series of things on the server side per Dreamweaver's Server
Behaviour / User Authentication | Log Out User, etc - but the client's
browser cache (?) still keeps the credentials, and so if they return to the
site (say, with their back button) they can get right back in... the only
sure fire way that I can see, simply, is to close and reopen the browser.


Any thoughts on how to clear the user's browser's cache of a https:// site's credentials and then send them on to a non-secure page?


I thought of:

a.. closing and reopening the browser with some JS, if this is indeed
possible - buT I would need to somehow keep track of what other pages the
user had open, their security settings might now allow it, the user would
likely get annoyed (!), etc, etc

b.. "forcing" a 401 or 403 - but my attempts at 'coding' this were
unsuccessful - and also how do you get the page to redirect on to something
like www.adobe.com or something (because seeing a 403 'standard page
message' would likely be "alarming" to the average user

c.. I have some code in ASP that will do this, but the user would be have
to be limited to using Internet Destroyer - ugh! :-)

Thanks In Advance:
GREG...

Note: cross-posted to the JavaScript in case this is better solved using that, being client side and all... trust this is OK etiquette?
Apr 14 '09 #1
5 3035
gregerly
192 Expert 100+
I think this is going to depend on how exactly your tracking that your user is "logged in". SSL shouldn't have anything to do with your users logged in status. Typically, a user would log in and a flag of some sort would be set that says the user is logged in. Cookies and sessions come to mind. When the user logs out, simply kill the cookie and or session. Validate the credentials each time the page loads. You should be able to avoid the browser cache problems this way.
Apr 14 '09 #2
Markus
6,050 Expert 4TB
Greg's right. Every page should be checking that the user is logged in, via a cookie, or whatever.

Even if the user were to hit the back button, they could do nothing malicious because any activity would cause the page to reload or a new page to be loaded, which would then check for a cookie that has been deleted via your logout.

- mark.
Apr 14 '09 #3
OK, I will go back and reread...

My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is:

Expand|Select|Wrap|Line Numbers
  1. //grab the logged on user, depending on whether they logged on with the domain prepended
  2.   if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0)
  3.    {
  4.     //the logon has a domain prepended before the 'actual' UID
  5.     list($logged_on_domain, $logged_on_user) = split('\\\\', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) "[domain]\" portion and essentially discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped*
  6.    }
  7.    else
  8.    {
  9.     //no domain (assume) prepended before the back slash, so just the 'actual' UID
  10.     $logged_on_user = $_SERVER['REMOTE_USER'];
  11.    };
I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in...

So maybe my "logging off" question is not really PHP-specific? Hmmm....

I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you...

Regards,
GREG...
Apr 14 '09 #4
gregerly
192 Expert 100+
The $_SERVER variable is a bad way of doing any kind of authentication. I would suggest you really look into how you authenticate your users and overhaul your existing system. The $_SERVER variable can be manipulated on the client site believe it or not, which makes it an unsuitable choice for authentication.

Maybe I'm not understanding how you arrived at your current system. You need to know that SSL (https) is simply a way of encrypting a page as it travels from the server to your browser. Nothing more. It has nothing to do with a users current "logged in" state.

The typical progression is a user has a record in some sort of user table. When a user tries to login by providing the username and password, the system checks is a user with that username and that password exist. If it does, it means the user is valid and some sort of flag is set usually with a session.

Expand|Select|Wrap|Line Numbers
  1. session_start();
  2. $_SESSION['logged_in'] = true;
Then on each page you want to be only available to a logged in user you need to run a routine that checks to ensure the logged in flag is set:

Expand|Select|Wrap|Line Numbers
  1. if($_SESSION['logged_in'] == true){
  2.     //show them the protected page
  3.     //this could be an ssl page, or not, example
  4.     header('Location:https://mydomain.com/protected_page.php');
  5. }else{
  6.     //redirect somewhere else
  7. }
As you see above, the SSL only comes into play if you want the page encrypted, but has nothing to do with how the logged in status works. The above example is overly simple, but illustrates the point. Tweak it for your own site.

Hope I'm on the right track, if not post back here and we'll get you moving in the right direction.

Greg
Apr 14 '09 #5
Thanks Greg for the background... Sorry about the delay in replying, it has been a busy week...

(FYI - I am a geologist/scientist who has moved into data management, GIS, web mapping, etc, etc - hence my need to learn all of this as I go, the IT staff being so overwhelmed, and also mainly Windows network admins - so bear with any "silly questions"... <smile>)

Regarding SSL - That distinction is useful to know / be reminded about, thank you - since IIS integrates SSL and AD transparently to me as a non-IT-admin person, I guess I was not making that distinction clearly enough mentally...

I am writing functionality for the company intranet - and am using AD, as so I don't have to sync credentials on "my" system with the 500± users in the AD... (i.e., when someone leaves the company, new hires, password changes, etc, etc) - and not forgetting that users may use the intranet site from the company internet site on PCs not logged on to the network... (say when they are on the road and suing an internet cafe? (sic))

AD has been in use on the intranet for site logon verification (sic) since before I got here - but the network admins did not look into how to log some one off as the site was a simple & clean one... (i.e., there was not much of value there, so the risk was low as they perceived...)

Now HERE is where I think I have having the issues... Using a "log off" link, I can use PHP to log them off "my" site, server side, and hence "demand" to see their AD credentials again...

BUT from my reading and understanding (and inexpert (!) experimentation), the browser seems to be caching the "previous" AD credential info - and so when it "sees" the request for AD credentials from the server (?), it 'says' "oh, I have those from a few minutes ago, here you go..." (i.e., the same browser session on the clients side if they haven't closed their browser in the
meantime...), thereby re-logging them on server side directly (i.e, the user is NOT asked for their credentials again...)

So (assuming I have this right) is there a way to have PHP clear the user's
browser cache of the appropriate AD credentials if the user is in the same
browser session and then move to, say, www.google.com? Or should I be looking at some JS? (if they have closed the browser it is of course a moot point...)

I thought about "forcing" a 401, 403 or similar, but (i) how to so this programmatically?, and (ii) how to send them on to, say, the aforementioned www.google.com directly?

Or expending my efforts on other 'projects'? <smile>
Apr 22 '09 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

16
https proxy
by: Paul Sweeney | last post by:
Does anyone know of a working (python) https proxy which allows viewing of unencrypted data being sent from my browser to an https site? I've worked my way through most on the list at...
Python
5
ASP with HTTPS and SSL
by: John Xu | last post by:
I have a question regarding https and SSL between two web sites. I am not quit understand how asp application can handle https, encryption and SSL. Here is scenario: An asp application on my web...
ASP / Active Server Pages
1
Logging Off
by: Gram | last post by:
Hello, Can anoyone help me with the following: I have a application online using ASP in which users log in and log out. However, a lot of users simply close the window, bypassing my log-out...
Javascript
16
Logging (exceptions etc)
by: Einar Høst | last post by:
Hi, I'm getting into the Trace-functionality in .NET, using it to provide some much-needed logging across dlls in the project we're working on. However, being a newbie, I'm wondering if some...
C# / C Sharp
1
Logging into a website using urllib2
by: dmbkiwi | last post by:
I've been using urllib2 to try and automate logging into the google adsense page. I want to download the csv report files, so that I can do some analysis of them. However, I don't really know...
Python
3
.Net 1.1 - Export XML via HTTPS problem
by: Calvin KD | last post by:
Does anyone knows of any issues/problems associated with sending xml file via https? I have a button which exports data records using DataSet.GetXML() method and sending it over the https and...
ASP.NET
14
how to configure web from HTTP to HTTPS
by: david | last post by:
I have developed web forms including login by using ASP.NET via HTTP. Now I want to secure the connection from client to the server via HTTPS. How can I configure the server or something else to...
ASP.NET
7
redirect http to https
by: =?Utf-8?B?YzY3NjIyOA==?= | last post by:
Hi all, I am trying to set this up using asp code and IIS configuration. But it seems not working. Here it is the way I am doing. In IIS I set up a virtual directory with secure communication, I...
ASP / Active Server Pages
3
scubak1w1
Logging out of a SSL / https:// site using JS? (or PHP??), Client Side Cache
by: scubak1w1 | last post by:
Hello, I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well... I have been Googling et...
Javascript
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!