back button and session id

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
josh4ever
Forum Newbie
Posts: 2
Joined: Wed Nov 15, 2006 1:15 am

back button and session id

Post by josh4ever »

hi frns,

i have used sessions in my application. as the user logs out, he is redirected to login page and session id is deleted.

But the problem is that, if a user presses a back button after thi then the session id gets generated. how do i prevent this.
Please help.
rameshmrgn
Forum Newbie
Posts: 15
Joined: Sat Jun 17, 2006 1:01 am

Post by rameshmrgn »

Have a common function which should check for session like,

function check_session_user(){
if(!isset($_SESSION['sessuser']))
header("location: login.php");
}

call this function on the top of each page.

it wil let u to login page, if the session is destroyed
josh4ever
Forum Newbie
Posts: 2
Joined: Wed Nov 15, 2006 1:15 am

Re: sessions and back button

Post by josh4ever »

suppose a user logs, performs his work and logs out.
then another user uses the same browser w/o closing it and if he presses the back button several times, then he is gaining access to the pages that previous user visited;

what should i do???

plz ...
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Post by William »

Why is the session getting re-created if the user goes back in their browser? What is at the top of your pages that re-creates the session so that they're logged in again?
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Post by kaszu »

My guess is that browser uses "catche" to display the page, it's not loaded from the server. Try

Code: Select all

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
took this from http://uk.php.net/header

EDIT:
Sorry this doesn't work.
User avatar
theFool
Forum Newbie
Posts: 17
Joined: Thu Oct 26, 2006 2:00 am
Location: Berlin, DE

Post by theFool »

I think it is a combination of browser cache and php garbage collection for sessions.

the sessions are normally stored in a temporary directory but the garbage collection only cleans it randomly every now and then (default is 1% probability on every script call as far as I remember ). So when the browser sends the session id again and the garbage collection hasn't delete the session data already, the session data is restored.
So you basically have two possibilitys:
ensure that the browser can't send the session id after logout or
ensure that void session informations cannot be retrieved (which I tend to do in my project)
rameshmrgn
Forum Newbie
Posts: 15
Joined: Sat Jun 17, 2006 1:01 am

Post by rameshmrgn »

R u destroying the session while logout?

using session_destroy() function...
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

If I'm not mistaken, it sounds like your application is assuming the user is logged in if PHP_SESS_ID has been assigned. The session ID is automatically generated by PHP as soon as you call session_start(), whether you have authenticated the user or not. As rameshmrgn suggested, create a session variable that is only set if the user has been authenticated, such as

Code: Select all

$_SESSION['loggedIn'] = true;
All of your secured pages would then check if this session variable has been set before displaying the page.

Code: Select all

if($_SESSION['loggedIn']) {
   // show secured content
} else {
   // user is not logged in; show login form
}
evolozik
Forum Newbie
Posts: 14
Joined: Thu Jan 04, 2007 1:20 pm

Post by evolozik »

i was having this problem too
it didn't work with

Code: Select all

$_SESSION['loggedIn'] = true;

Code: Select all

if($_SESSION['loggedIn']) {
   // show secured content
} else {
   // user is not logged in; show login form
}
so i used this:

Code: Select all

session_start();
session_regenerate_id();
//some code
$_SESSION['ID']=session_id();
in the login page so that it generates another session id whenever another user logs in
since the browser has not been closed, when the new user will click back he will be directed to previous pages which includes the login page and another id will be generated
since the id doesn't match the previous user's session id, the new user will not get access to it

well this worked but i dunno if it's a good way to proceed
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

direct them to a logout page then use unset() to kill your session var.

on the logout page include the javascipt history method to prevent them from going back.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What's the point of storing the session id in the session it belongs to?
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

I use it sometimes as a reference to a database entry.
Post Reply