back button and session id
Moderator: General Moderators
back button and session id
hi frns,
i have used sessions in my application. as the user logs out, he is redirected to login page and session id is deleted.
But the problem is that, if a user presses a back button after thi then the session id gets generated. how do i prevent this.
Please help.
i have used sessions in my application. as the user logs out, he is redirected to login page and session id is deleted.
But the problem is that, if a user presses a back button after thi then the session id gets generated. how do i prevent this.
Please help.
-
rameshmrgn
- Forum Newbie
- Posts: 15
- Joined: Sat Jun 17, 2006 1:01 am
Re: sessions and back button
suppose a user logs, performs his work and logs out.
then another user uses the same browser w/o closing it and if he presses the back button several times, then he is gaining access to the pages that previous user visited;
what should i do???
plz ...
then another user uses the same browser w/o closing it and if he presses the back button several times, then he is gaining access to the pages that previous user visited;
what should i do???
plz ...
My guess is that browser uses "catche" to display the page, it's not loaded from the server. Try
took this from http://uk.php.net/header
EDIT:
Sorry this doesn't work.
Code: Select all
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1EDIT:
Sorry this doesn't work.
I think it is a combination of browser cache and php garbage collection for sessions.
the sessions are normally stored in a temporary directory but the garbage collection only cleans it randomly every now and then (default is 1% probability on every script call as far as I remember ). So when the browser sends the session id again and the garbage collection hasn't delete the session data already, the session data is restored.
So you basically have two possibilitys:
ensure that the browser can't send the session id after logout or
ensure that void session informations cannot be retrieved (which I tend to do in my project)
the sessions are normally stored in a temporary directory but the garbage collection only cleans it randomly every now and then (default is 1% probability on every script call as far as I remember ). So when the browser sends the session id again and the garbage collection hasn't delete the session data already, the session data is restored.
So you basically have two possibilitys:
ensure that the browser can't send the session id after logout or
ensure that void session informations cannot be retrieved (which I tend to do in my project)
-
rameshmrgn
- Forum Newbie
- Posts: 15
- Joined: Sat Jun 17, 2006 1:01 am
- aaronhall
- DevNet Resident
- Posts: 1040
- Joined: Tue Aug 13, 2002 5:10 pm
- Location: Back in Phoenix, missing the microbrews
- Contact:
If I'm not mistaken, it sounds like your application is assuming the user is logged in if PHP_SESS_ID has been assigned. The session ID is automatically generated by PHP as soon as you call session_start(), whether you have authenticated the user or not. As rameshmrgn suggested, create a session variable that is only set if the user has been authenticated, such as
All of your secured pages would then check if this session variable has been set before displaying the page.
Code: Select all
$_SESSION['loggedIn'] = true;Code: Select all
if($_SESSION['loggedIn']) {
// show secured content
} else {
// user is not logged in; show login form
}i was having this problem too
it didn't work with
so i used this:
in the login page so that it generates another session id whenever another user logs in
since the browser has not been closed, when the new user will click back he will be directed to previous pages which includes the login page and another id will be generated
since the id doesn't match the previous user's session id, the new user will not get access to it
well this worked but i dunno if it's a good way to proceed
it didn't work with
Code: Select all
$_SESSION['loggedIn'] = true;Code: Select all
if($_SESSION['loggedIn']) {
// show secured content
} else {
// user is not logged in; show login form
}Code: Select all
session_start();
session_regenerate_id();
//some code
$_SESSION['ID']=session_id();since the browser has not been closed, when the new user will click back he will be directed to previous pages which includes the login page and another id will be generated
since the id doesn't match the previous user's session id, the new user will not get access to it
well this worked but i dunno if it's a good way to proceed