'Back'-ing into secure mode after log out
Posted: Sat Jan 22, 2005 4:43 pm
I have a sample site I am working up, and as part of it I have made a login / user management system. Its sessions based, though I use cookies to hold an encrypted user hash which will allow them to log in automatically when they come back should they choose to. The cookie also functions as an automatic relogger if the IP of the session holder should change. I hope that this will make it harder to hijack the session, but only if you haven't already aquired the cookie I guess.
My problem is that when the user logs in they enter their username and password into a set of textboxes and presses submit, the details are evaluated and then authorization is either granted or denied. The user goes along using the site, then they log out. This is all fine as far as I can tell.
But then, if the next user were to come along and hit 'back' until they reached the page after the sign in form, the values still exist and the user is re-validated and accepted.
I guess I am wondering if there is an easy solution to this, or even if I need worry about it. Short of, say, numbering login requests and storing that value in the database to make sure each login is unique, I dont know what to do.
Actually, that is quite do-able now that I come to say it. Is this a good idea? Is there an easier way?
Thanks.
My problem is that when the user logs in they enter their username and password into a set of textboxes and presses submit, the details are evaluated and then authorization is either granted or denied. The user goes along using the site, then they log out. This is all fine as far as I can tell.
But then, if the next user were to come along and hit 'back' until they reached the page after the sign in form, the values still exist and the user is re-validated and accepted.
I guess I am wondering if there is an easy solution to this, or even if I need worry about it. Short of, say, numbering login requests and storing that value in the database to make sure each login is unique, I dont know what to do.
Actually, that is quite do-able now that I come to say it. Is this a good idea? Is there an easier way?
Thanks.