Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Login page

Status
Not open for further replies.
anuj576

anuj576

Programmer
Jul 20, 2008
14
0
0
IN
Hey guys,
I have developed a web application in which i have applied sessions. The session starts when the user successfully log's in and ends when the user log's out. But the problem is that when the user log's out he can go back to the page which is wrong.
Please give some suggestions.
 
Sort by date Sort by votes
Can you please tell me what is nonce???
I've heard it for the first time..
 
Upvote 0 Downvote
do you destroy the session cookies when the user logs out?
if not they would still be valid untill the user closes the browser

Code: 
	$_SESSION = array(); // Destroy the variables.
	session_destroy(); // Destroy the session itself.
	setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.

should be close enough.
 
Upvote 0 Downvote
the session method doesn't work because if you press the back button the browser will resubmit the login form. and then the session will be regenerated.

 
Upvote 0 Downvote
nope. a nonce is a Number Used Once.

what i do is:

1. insert a hidden field in the login form.
2. store the value of the hidden field in a session ID (note that i need sessions ON for this)
3. on submission test to see whether the session value exists and whether it equals the submitted post value.
4. if it doesn't then the submission is spoofed
5. if it does, i remove the value from the session store

the values are always globally unique ids.

something like this is the code i use
Code: 
<?php
class nonce{
	public function __construct(){
		if (session_id() == '') session_start();
	}
	public function getNonce($type='default'){
		if (isset($_SESSION['nonce'][$type])){
			//
		} else {
			$_SESSION['nonce'][$type] = sha1 (uniqid('nonce', true));
		}
		return $_SESSION['nonce'][$type] ;
	}
	public function checkNonce($type='default'){
		if (empty($_SESSION['nonce'][$type])){
			return false;
		}
		if (empty($_REQUEST['nonce'])){
			return false;
		}
		if ($_SESSION['nonce'][$type] == $_POST['nonce']){
			unset ($_SESSION['nonce'][$type]);
			return true;
		} else {
			return false;
		}
	}

	public function insertNonceField($type){
		$value = $this->getNonce($type);
		return <<<HTML
	<input type="hidden" name="nonce" value="$value" />
HTML;
	}
}
?>
 
Upvote 0 Downvote
Is what I came with in the same area of result?

Code: 
//login 

session_start();

////// adding security we create the initial $need to match from here ////////

	$str=$_SERVER['HTTP_USER_AGENT'];
	$str .='asasasas';
	$need_to_match= md5($str);
	$_SESSION['need_to_match']=$need_to_match;
	$need_to_match=$_SESSION['need_to_match'];
	
//any landing page

$str=$_SERVER['HTTP_USER_AGENT'];
	$str .='asasasas';
	$need_to_match2= md5($str);
	
	$need_to_match=$_SESSION['need_to_match'];

	if(isset($_SESSION['need_to_match']) && $need_to_match === $need_to_match2)
	{// OK
	else unset etc...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

c0deM0nK424
  • Locked
  • Question
Gutenberg Block Editor - page edits and updates not working since wp site migration
Replies
1
Views
194
spamjim
spamjim
chrisjchrisj
  • Locked
  • Question
Can you tell me if this file outputs a subcategory page?
Replies
3
Views
59
spamjim
spamjim
dball63
  • Locked
  • Question
Noob Needs some help making HTML edits on PHP page
Replies
6
Views
85
spamjim
spamjim
pc3957
  • Locked
  • Question
Any ideas how I can download a file from a web site that requires login mimicking clicks
Replies
1
Views
49
spamjim
spamjim
thep1
  • Locked
  • Question
fetch data in wordpress page resulting in page not found 1
Replies
5
Views
84
thep1
thep1

Part and Inventory Search

Sponsor

Back
Top