|
|
Posted by Gordon Burditt on 11/01/06 23:55
>> Nope, because Firefox is never going to your site. It's just serving
>> the page up locally.
>>
>> You can set the page to expire immediately - but even that is only a
>> recommendation to the browser - not a requirement.
>>
>> The only solution is to close the browser after logging off.
>>
>
>So doesn't that mean my website is insecure? People can just go back
>and access the pages inspite of being logged out.
All websites are insecure. People can go back and REMEMBER what
your page looked like after they've logged out. Or they could take
a picture of the monitor with a camera. Or save the page to a local
disk file. You won't be able to fix that until human brains are
required to support DRM so they can't remember anything beyond the
time limit in the license. Browser caches aren't much more of a
problem.
This does mean, though, that the only computers that have copies
of your stuff in the browser cache are those that had an authorized
user log in and view the pages in question.
>But how come lot of
>other websites I have accessed are loggout out properly? That's why I
>thought it's something to do with my code.
Don't use the presence or absence of a session cookie to indicate
that a user is properly logged in. Use data in the PHP session.
One method I think works well is to have a session variable 'last_hit',
which represents the time the session last hit the server (in the
protected section). You may also want another variable indicating
what user name they logged in with, so you know whose preferences
to use and whose name to use on sent messages.
You set this last_hit variable to the current time when they log
in correctly, (and remove it if they fail to log in) and check (on
every protected page) that it's not too old (say, no older than
half an hour). Don't use cookie expiration times; browsers don't
enforce them well, and desktop computers have notoriously inaccurate
clocks (once I discovered that 5% of certain users had the YEAR
wrong). Also don't use PHP session expiration times. If you read
the documentation you'll see that, in the name of performance, it's
really sloppy about cleaning up old sessions, especially if your
site doesn't get much traffic.
If they aren't logged in (last_hit not set) or it's too old, redirect
them to the login page instead of showing them the page they wanted.
If they ARE logged in and the session isn't stale, set last_hit to
the current time, then display the page. This permits users to
stay logged in as long as they want, provided they keep clicking.
If they go home from work, or otherwise walk away from the computer
for a long time, the session will go stale by the time they get
back. No matter how long it's saved in browser history, the
associated session data will show an *OLD* login, and they'll just
get the login page.
That limit for what constitutes a stale login requires some thought.
A year is probably too long. A second is way too short. A half an hour
may not be enough time for a user to compose a (thoughtful) message
and send it. Do you want to blow away a half-completed message if
they have to leave for lunch in the middle of composing it?
Navigation:
[Reply to this message]
|