how to restrict the browser controls

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mang
Forum Newbie
Posts: 8
Joined: Thu Nov 02, 2006 12:43 am

how to restrict the browser controls

Post by mang »

In my project site i have a memaber area which user can access only after login. I had done this using cookie. After logut cookie is destroyed and user will be sent to home page. But my problem is even after logout he is able to go back to member area using browser back and forward controls.But i dont want to allow this to user.
So how can i disable a back control of browser? Is it possible? If yes plz provide me solution(with code if possible)
Or any other soln will work.I m using PHP code.

Thanking you in advance !
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You will have to implement a solution at the server-side... Trying to influence the client behaviour is an attempt that can only fail...
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: how to restrict the browser controls

Post by Chris Corbyn »

mang wrote:In my project site i have a memaber area which user can access only after login. I had done this using cookie. After logut cookie is destroyed and user will be sent to home page. But my problem is even after logout he is able to go back to member area using browser back and forward controls.But i dont want to allow this to user.
So how can i disable a back control of browser? Is it possible? If yes plz provide me solution(with code if possible)
Or any other soln will work.I m using PHP code.

Thanking you in advance !
Have you got the slightest idea how irritating that can be? You should be building your apps to work with the browser, not breaking the browser to work with your app ;)
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

If he is able to use your side using the back button after login you got an error in your application. Don't try to break a browser to fix it.

The solution is as simple as checking a session var that changes on logout and login.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Some quick suggestions for you:
  1. You should be checking whether the user is allowed on a page for each page. This eliminates the potential for someone to do something in an area where they shouldn't be.
  2. You shouldn't be worried about a back button press if you are checking authorization on page activity. If a user goes back and tries to do something after logging out, and you code is such that every page is checking authorization, then they will be met with an error page that destroys that ability to move forward.
  3. You can control whether pages render on back button presses with the cache-control settings of the header() function.
  4. Never force the user to change their system so you app can run. That is the fastest way to lose users.
mang
Forum Newbie
Posts: 8
Joined: Thu Nov 02, 2006 12:43 am

Post by mang »

timvw wrote:You will have to implement a solution at the server-side... Trying to influence the client behaviour is an attempt that can only fail...
Do you have any other solution means once kookie has been disable No previous history must be there.Is it possible ! Bye the way thanks
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

mang wrote:Do you have any other solution

switch to sessions
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

mang wrote:
timvw wrote:You will have to implement a solution at the server-side... Trying to influence the client behaviour is an attempt that can only fail...
Do you have any other solution means once kookie has been disable No previous history must be there.Is it possible ! Bye the way thanks
That's simply not how http works. Once the data is delivered you have absolutely no control about it whatsoever (you can only try to influence it with headers to indicate that the data isn't valid anymore after a given date and so on..).

You will really have to check at the server-side the current status before you accept to handle a request/post/...
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Everah wrote:You can control whether pages render on back button presses with the cache-control settings of the header() function.
Post Reply