Reposting of username/password

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
stephanas
Forum Newbie
Posts: 1
Joined: Thu Jun 12, 2008 2:43 pm

Reposting of username/password

Post by stephanas »

Hello,

I am trying to develop an authentication based application using LiveUser.
(The login page provides the user name and password and the LiveUser processes it to
determine if the user is to be logged in or not.)

The problem I am facing happens with the following sequence of steps:
After the login followed by log out, when the user presses browser's Back button,
the browser reaches the page that was presented after the login, and asks if the POST data
should be submitted again.

Because of this, a malicious user can log into the system with previous user's account
if the previous user had forgotten to close the browser. (Imagine if it is an Internet Cafe or
Computer Center in a University).

At the time of logout, the session information is destroyed and cookie is not remembered at
the server (LiveUser settings).

As I understand, this behaviour needs to be controlled at the Browser.

Kindly help me out by throwing some light on this, and answering these:

1. How does one keep the browser from re-posting the username / password information when
Browser's Back button is used?
2. Is there any support for this in LiveUser itself?
3. What is the best solution for this problem?

regards,
Stephanas
WebbieDave
Forum Contributor
Posts: 213
Joined: Sun Jul 15, 2007 7:07 am

Re: Reposting of username/password

Post by WebbieDave »

It's strange that the login process page doesn't send a redirect. That would remove the Back button problem you described. I don't use LiveUser but perhaps there is a way to have it respond with a redirect rather than an html page.
User avatar
lonelywolf
Forum Commoner
Posts: 28
Joined: Tue Jun 10, 2008 6:15 am

Re: Reposting of username/password

Post by lonelywolf »

if login phase is successful, after creating session variable for current user, you can send header to redirect current page. Maybe it will prevent re-post your form.

Code: Select all

if($success)
        {
            //assign some session variables here
            //..
            
            //redirect
            header("location: page_success.php");
        }
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: Reposting of username/password

Post by Stryks »

Don't forget that it's always a good move to follow up any header redirects with ...

Code: Select all

exit;
... on the following line.

It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).
LBmtb
Forum Newbie
Posts: 23
Joined: Wed May 14, 2008 11:14 am

Re: Reposting of username/password

Post by LBmtb »

Stryks wrote:Don't forget that it's always a good move to follow up any header redirects with ...

Code: Select all

exit;
... on the following line.

It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).
Good point. The header redirect thing, after all, is merely a request to the client asking it to redirect.
Post Reply