|
|
Posted by David Haynes on 11/11/10 11:47
Nacho wrote:
> Hi Erwin
> I will try to put a real example:
> Lets say that you are the user and you have been doing stuff in the
> private area, then after a while, you log off. Then the session is
> destroyed and also all its variables. Then you leave the internet-cafe
> but you dont close the Browser. Somebody else comes and start clicking
> on the back button; he/she gets redirected to a "non-access" page
> because there is no session anymore thus no session variable. BUT when
> he/she gets to the log on page (after having clicked x times).......the
> script gets executed again and the session is started and the value
> from $password is taken from the Cache (from logonHTML.htl page) and
> sucess the logon.
>
> I think I shoul have set as not cached (using headers) the
> logonHTML.php page whichi is the one that has the password textbox, I
> just realised now, but I can not try until I get home...
>
> This is more or less the code of these pages
>
> logon.php ************************************************************
>
> session start
>
> //here I set the page not to be cached
>
>
> header();
>
> if(isset($password) //name of the textbox
> {
> if(password is OK)
> {
> $_SESSION["isAuthenticated"] = "Y";
> echo 'log on is successfull';
> menu();
> }
> else
> {
> //log on form
> imports(logonHTML.html);
> fotter();
> exit();
> }
> }
>
> //log on form
> imports(logonHTML.html);
> fotter();
A couple of things:
1. Why cache the password? If isAuthenticated == 'Y', then there should
be no need for the password anymore. I can't think of a good reason to
ever move the password into a SESSION (from a POST or GET).
2. Add a timestamp to the login (i.e. $_SESSION['timestamp'] = time() )
and then test for both isAuthenticated and time() -
$_SESSION['timestamp'] < some limit. This causes your SESSION to
invalidate itself after a set period of time. Naturally, a valid user
needs to have the $_SESSION['timestamp'] updated on each page fetch so
that the SESSION will not go stale.
-david-
Navigation:
[Reply to this message]
|