Hello,
I am trying to develop an authentication based application using LiveUser.
(The login page provides the user name and password and the LiveUser processes it to
determine if the user is to be logged in or not.)
The problem I am facing happens with the following sequence of steps:
After the login followed by log out, when the user presses browser's Back button,
the browser reaches the page that was presented after the login, and asks if the POST data
should be submitted again.
Because of this, a malicious user can log into the system with previous user's account
if the previous user had forgotten to close the browser. (Imagine if it is an Internet Cafe or
Computer Center in a University).
At the time of logout, the session information is destroyed and cookie is not remembered at
the server (LiveUser settings).
As I understand, this behaviour needs to be controlled at the Browser.
Kindly help me out by throwing some light on this, and answering these:
1. How does one keep the browser from re-posting the username / password information when
Browser's Back button is used?
2. Is there any support for this in LiveUser itself?
3. What is the best solution for this problem?
regards,
Stephanas
Reposting of username/password
Moderator: General Moderators
-
WebbieDave
- Forum Contributor
- Posts: 213
- Joined: Sun Jul 15, 2007 7:07 am
Re: Reposting of username/password
It's strange that the login process page doesn't send a redirect. That would remove the Back button problem you described. I don't use LiveUser but perhaps there is a way to have it respond with a redirect rather than an html page.
- lonelywolf
- Forum Commoner
- Posts: 28
- Joined: Tue Jun 10, 2008 6:15 am
Re: Reposting of username/password
if login phase is successful, after creating session variable for current user, you can send header to redirect current page. Maybe it will prevent re-post your form.
Code: Select all
if($success)
{
//assign some session variables here
//..
//redirect
header("location: page_success.php");
}Re: Reposting of username/password
Don't forget that it's always a good move to follow up any header redirects with ...
... on the following line.
It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).
Code: Select all
exit;It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).
Re: Reposting of username/password
Good point. The header redirect thing, after all, is merely a request to the client asking it to redirect.Stryks wrote:Don't forget that it's always a good move to follow up any header redirects with ...
... on the following line.Code: Select all
exit;
It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).