PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
It is currently Wed Jun 03, 2020 7:20 am

All times are UTC - 5 hours

Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Jan 22, 2005 5:43 pm 
Forum Regular
User avatar

Joined: Wed Jan 14, 2004 6:06 pm
Posts: 746

 Post subject:
PostPosted: Thu Jan 27, 2005 4:44 pm 
Forum Commoner
User avatar

Joined: Sun Dec 22, 2002 6:57 am
Posts: 59
Location: Denver
Remove the session cookie when a user logs out then check for the cookie on every page load. Also, set pragma:no-cache in the headers.

If the user logs out and then hits the back button, the browser *should* reload the page, see that the cookie isn't there, and then throw an error of your choosing. If the page does get cached for some reason, it'll look as if they are logged in, but it'll throw an error as soon as they click on something.


PostPosted: Sun Feb 06, 2005 12:44 pm 
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124
> Its sessions based, though I use cookies to hold an encrypted user hash
> which will allow them to log in automatically when they come back
> should they choose to.

If you're interested in reading a suggested technique for this, try this: ... t_practice

> I hope that this will make it harder to hijack the session, but only if you
> haven't already aquired the cookie I guess.

There are practices that can help prevent session hijacking, even if the session identifier is compromised:

> But then, if the next user were to come along and hit 'back' until they
> reached the page after the sign in form, the values still exist and the
> user is re-validated and accepted.

You can hide the POST request from the browser's history mechanism:

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours

Who is online

Users browsing this forum: Google [Bot] and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group