Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Post problem

Status
Not open for further replies.
Dweezel

Dweezel

Technical User
Feb 12, 2004
428
GB
The index.php page of a website I'm designing needs to be frequently updated, so I've put some header functions at the top of the page that prevent browser caching of the HTML. This page is also the login page for the site.

All of the pages on the site that are visited test that $user_id is set as a session variable to make sure the user is logged in.

The problem I'm having is that when, for instance, userA logs out, if the browser back button is pressed a few times userB can get back to the point where userA sent his username and password to login. Because I've used the header functions described above the following message is displayed in the browser when this point is reached via the back button:
Warning: Page has Expired

The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh button.
Click to expand...


When refresh is clicked it produces a dialog box.When the 'retry' button is clicked on that dialog box the POST information that userA originally sent to login is resubmitted and userB gains access to the site.

This is obviously a fairly large security hole. Can anyone help me out?

 
Sort by date Sort by votes
This is quite normal.
Firstly, it is much better to utilise a session and create a cookie for the authorised user rather than a variable as normally you are not able to carry variables over as this is a security hole that has been remedied by turning global variables off.

Then when the user logs out you should script that the
session is killed. i.e:
Code: 
session_destroy();
Hope this helps!

Reality is built on a foundation of dreams.
 
Upvote 0 Downvote
Thanks overyde. I am creating a session and using session_destroy() on logout (I'm not using cookies though). I was just wondering if there were some way of preventing the reprocessing of the POST text fields using PHP.
 
Upvote 0 Downvote
you can work around this by:
1. when the login form is generated, include a hidden field with the time included (or someother unique variable).
2. if the login is valid, log the access with the unique variable. either to a db or a text file with the name of the unique variable.
3. test each new login to make sure that the variable hasn't already been used. if it has been, redirect to a clean login form.

[you could also use the sessionid instead of a unique variable. log the sessionid used by the anon user and recreate the session with a new id on successful login ]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PeDa
  • Locked
  • Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
488
feherke
feherke
Kennelbloke
  • Locked
  • Question
Returning PostCode to Form field 1
Replies
3
Views
248
Kennelbloke
Kennelbloke
jason.lex
  • Locked
  • Question
Problem with table output and calendar picker bug
Replies
3
Views
173
spamjim
spamjim
charlion
  • Locked
  • Question
another json problem. 1
Replies
2
Views
171
charlion
charlion
Krus1972
  • Locked
  • Question
Special Character Filter Function Problem
Replies
2
Views
161
Unscruffed
Unscruffed

Part and Inventory Search

Sponsor

Back
Top