Page 1 of 1

Reposting of username/password

Posted: Thu Jun 12, 2008 2:58 pm
by stephanas
Hello,

I am trying to develop an authentication based application using LiveUser.
(The login page provides the user name and password and the LiveUser processes it to
determine if the user is to be logged in or not.)

The problem I am facing happens with the following sequence of steps:
After the login followed by log out, when the user presses browser's Back button,
the browser reaches the page that was presented after the login, and asks if the POST data
should be submitted again.

Because of this, a malicious user can log into the system with previous user's account
if the previous user had forgotten to close the browser. (Imagine if it is an Internet Cafe or
Computer Center in a University).

At the time of logout, the session information is destroyed and cookie is not remembered at
the server (LiveUser settings).

As I understand, this behaviour needs to be controlled at the Browser.

Kindly help me out by throwing some light on this, and answering these:

1. How does one keep the browser from re-posting the username / password information when
Browser's Back button is used?
2. Is there any support for this in LiveUser itself?
3. What is the best solution for this problem?

regards,
Stephanas

Re: Reposting of username/password

Posted: Fri Jun 13, 2008 5:58 pm
by WebbieDave
It's strange that the login process page doesn't send a redirect. That would remove the Back button problem you described. I don't use LiveUser but perhaps there is a way to have it respond with a redirect rather than an html page.

Re: Reposting of username/password

Posted: Fri Jun 13, 2008 11:15 pm
by lonelywolf
if login phase is successful, after creating session variable for current user, you can send header to redirect current page. Maybe it will prevent re-post your form.

Code: Select all

if($success)
        {
            //assign some session variables here
            //..
            
            //redirect
            header("location: page_success.php");
        }

Re: Reposting of username/password

Posted: Wed Jun 25, 2008 1:23 am
by Stryks
Don't forget that it's always a good move to follow up any header redirects with ...

Code: Select all

exit;
... on the following line.

It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).

Re: Reposting of username/password

Posted: Wed Jun 25, 2008 9:57 am
by LBmtb
Stryks wrote:Don't forget that it's always a good move to follow up any header redirects with ...

Code: Select all

exit;
... on the following line.

It just prevents any further pointless scripting being processed after the redirect is sent (and preventing the always fun "Headers already sent" issue).
Good point. The header redirect thing, after all, is merely a request to the client asking it to redirect.