LogOut not working on form pages in Safari and firefox

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
freelance84
Forum Newbie
Posts: 8
Joined: Thu Apr 29, 2010 6:32 pm

LogOut not working on form pages in Safari and firefox

Post by freelance84 »

The following snippet of code is from my authenticate page:

Code: Select all

if($u_pass == $row[2])
      {
         session_start();
         $_SESSION['ID']        = $row[0];
         $_SESSION['username'] = $row[1];
         $_SESSION['type']     = $row[3];
         $_SESSION['forename'] = $row[4];
         $_SESSION['surname']  = $row[5];

         if ($row[3] == '1')
         {header("location:adw-home.php");}
         elseif ($row[3] == '2')
         {header("location:nrt-home.php");}
         elseif ($row[3] == '3')
         {header("location:rst-home.php");}
      }
The above code after checking the password starts the SESSION and takes the user to their homepage.

The next section is how all the user type 2 pages start:

Code: Select all

<?php
session_start();
if (isset($_SESSION['username']))
{
   $u_ID = $_SESSION['ID'];
   $u_name = $_SESSION['username'];
   $u_type = $_SESSION['type'];
   $u_forename = $_SESSION['forename'];
   $u_surname = $_SESSION['surname'];
   if($u_type == 2)
   {
            ............... content of the page
   }
   else echo "Sorry something has gone wrong with your user type, please contact site admin. Thank you.";
}
else echo "You are not logged in. Please <a href=index.html>click here</a> to log in.";
?>

The next section is my logout.php

Code: Select all

<?php
session_start();
unset($_SESSION['ID']);
unset($_SESSION['username']);
unset($_SESSION['type']);
unset($_SESSION['forename']);
unset($_SESSION['surname']);
session_destroy();
header("location:index.php");
?>
The logout code works on most pages.

However, when I test the log out on a page which includes a form there is a problem in Firefox and Safari:
It takes the user to the index page, appears to destroy the session but if I just press back in the browser it will go back and view the page. It won't let me use the form but I can view it. It even shows the username.

I really am stuck here and don't understand what's going on. Especially as the logout works in chrome and IE6 on all pages.

Does anyone have any ideas?

Thanks,

John.
Last edited by freelance84 on Fri Apr 30, 2010 7:13 am, edited 2 times in total.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: LogOut not working on form pages in Safari and Firefox

Post by timWebUK »

Prevent the browser from the caching the page by sending no-cache headers.

http://php.net/manual/en/function.header.php

View example #2
freelance84
Forum Newbie
Posts: 8
Joined: Thu Apr 29, 2010 6:32 pm

Re: LogOut not working on form pages in Safari and Firefox

Post by freelance84 »

Thanks for the pointer.

I tried implementing the following code into the header of one of the pages with forms:

Code: Select all

<?php 
 header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); 
 header('Cache-Control: no-store, no-cache, must-revalidate'); 
 header('Cache-Control: post-check=0, pre-check=0', FALSE); 
 header('Pragma: no-cache'); 
?>
However this has not resolved the issue and I can still simply press back and see the page. It is only when the page is reloaded after pressing back that it realises I have logged out.

Any ides?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: LogOut not working on form pages in Safari and firefox

Post by timWebUK »

If you press back it doesn't rerun the script on the page, so it hasn't actually checked if you're authenticated. If you try and submit the form again it should redirect you to the login page.

There is not much you can do about this.
freelance84
Forum Newbie
Posts: 8
Joined: Thu Apr 29, 2010 6:32 pm

Re: LogOut not working on form pages in Safari and firefox

Post by freelance84 »

hmm.

Well thanks for the pointer on the cache issues.

Hope I can find a work around at some point. :?
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: LogOut not working on form pages in Safari and firefox

Post by yacahuma »

even if you click back and the page does not reesh, you may be a le to put a little javascript code to ajax to check the session. Never done it myself, but dont see why it will not work
freelance84
Forum Newbie
Posts: 8
Joined: Thu Apr 29, 2010 6:32 pm

Re: LogOut not working on form pages in Safari and firefox

Post by freelance84 »

I am trying to create a site with no client side scripting (at the moment): only using, xhtml, css, php and mysql.

What I have found recently is that the later releases of firefox have a built in function which requires the user to reload the page if $_POST's were sent. This of course forces the browser to run the script again which then takes the user to the "you're not logged in" message and prevents them from seeing the page.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: LogOut not working on form pages in Safari and firefox

Post by kaisellgren »

Use Tamper Data or Live Headers extension for Firefox to see if the browser makes a HTTP request to your script. If it does not, then it takes the page from a cache.
Post Reply