Posted by Nacho on 11/05/96 11:47

Hi Erwin

First, thanks for reply
My english is not so good...

Anyway, lets take it from


> Now if the user clicks the back button of the explorer, is
redirected
> to a noaccess page, fine, and so on as long as the user navigates
back
> in the session, but when the user gets to the log on page, it recovers
> the POSTDATA and sets againg the session variable to true and anyone
> can see then the private area.

I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......the
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.

I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...

This is more or less the code of these pages

logon.php ************************************************************

session start

//here I set the page not to be cached


header();

if(isset($password) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticated"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHTML.html);
fotter();
exit();
}
}

//log on form
imports(logonHTML.html);
fotter();



logon.php ************************************************************


ogonHTML.php
************************************************************

<form>
password textbox
input button( action="")
</form>

ogonHTML.php
************************************************************


Thanks anyway and I hope no to confuse you!!

• Next in forum: Re: __SELF__?
• Prev in forum: Name of a variable in MySQL field
• Thread view: Re: Problem with a session

[Reply to this message]