login security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

login security

Post by aceconcepts »

Hi,

I am new to php.

I have created a log in page that works but if i return to the login page after logging in using the 'Back' button, i am able to use the 'Forward' button to bypass the login form.

This is not good. How do i remedy this problem?

Thanks.

Nick
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

that is tough if not impossible to do as the information is cached on the user's machine.

you can use header() to force the browser to reload the page every time it's hit, but that won't guarantee that it will be reloaded on EVERY user's machine when they hit back or forward.

another option would be to use JS to prevent the user from using the back button (which only works if they have js enabled).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

note: using Javascript to break the functionality of the back button is uncool.
sherrycrawley
Forum Newbie
Posts: 3
Joined: Mon Nov 13, 2006 9:10 am

How to stop back button?

Post by sherrycrawley »

Burrito wrote:that is tough if not impossible to do as the information is cached on the user's machine.

you can use header() to force the browser to reload the page every time it's hit, but that won't guarantee that it will be reloaded on EVERY user's machine when they hit back or forward.

another option would be to use JS to prevent the user from using the back button (which only works if they have js enabled).
I have need to stop the back button in a prior life.
When I asked about it, people would just say: "Well, use JavaScript to stop it".
However, I have never seen an example that does this. Everyone says you can do it, but can't show me how.

So, how can you prevent the back button? (assuming you have not turned off the tool bar in the window)?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: How to stop back button?

Post by Chris Corbyn »

sherrycrawley wrote:
Burrito wrote:that is tough if not impossible to do as the information is cached on the user's machine.

you can use header() to force the browser to reload the page every time it's hit, but that won't guarantee that it will be reloaded on EVERY user's machine when they hit back or forward.

another option would be to use JS to prevent the user from using the back button (which only works if they have js enabled).
I have need to stop the back button in a prior life.
When I asked about it, people would just say: "Well, use JavaScript to stop it".
However, I have never seen an example that does this. Everyone says you can do it, but can't show me how.

So, how can you prevent the back button? (assuming you have not turned off the tool bar in the window)?
Don't do it.... but:

Code: Select all

try {
    history.go(-1);
} catch (e) {}
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Handle it with server-side code using header(). The only way to ensure you are getting the functionality you want without relying on the users that have a specific technology enabled is handle it before the user has a chance to see it.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Rosebud. Rosebud.

Dead thread. Just for your information boys.
Post Reply