PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Jun 03, 2020 7:59 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Jan 22, 2005 5:43 pm 
Offline
Forum Regular
User avatar

Joined: Wed Jan 14, 2004 6:06 pm
Posts: 746


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jan 27, 2005 4:44 pm 
Offline
Forum Commoner
User avatar

Joined: Sun Dec 22, 2002 6:57 am
Posts: 59
Location: Denver
Remove the session cookie when a user logs out then check for the cookie on every page load. Also, set pragma:no-cache in the headers.

If the user logs out and then hits the back button, the browser *should* reload the page, see that the cookie isn't there, and then throw an error of your choosing. If the page does get cached for some reason, it'll look as if they are logged in, but it'll throw an error as soon as they click on something.

~Scott


Top
 Profile  
 
PostPosted: Sun Feb 06, 2005 12:44 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124
> Its sessions based, though I use cookies to hold an encrypted user hash
> which will allow them to log in automatically when they come back
> should they choose to.

If you're interested in reading a suggested technique for this, try this:

http://fishbowl.pastiche.org/2004/01/19 ... t_practice

> I hope that this will make it harder to hijack the session, but only if you
> haven't already aquired the cookie I guess.

There are practices that can help prevent session hijacking, even if the session identifier is compromised:

http://shiflett.org/articles/the-truth-about-sessions
http://phpsec.org/projects/guide/4.html#4.2

> But then, if the next user were to come along and hit 'back' until they
> reached the page after the sign in form, the values still exist and the
> user is re-validated and accepted.

You can hide the POST request from the browser's history mechanism:

http://shiflett.org/articles/guru-speak-nov2004


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group