Posted by Erwin Moller on 06/19/62 11:47

Nacho wrote:

> Hello people

Hi Nacho,

>
> I have the following problem
>
> I have a private area in my site.
> The user enters the username and password, then clicks "enter" and the
> session is created and also a session variable is created and set to
> true.
> Every page of the private area, checks whether this session variable is
> set to true and then if so, it gives you access, otherwise it redirects
> to a noaccess page.
> The user moves arround the private area, do whatever he/she has to do
> and then logs out. Then the session is destroyed and the session
> variable also.

So far ok.

>
> Now if the user clicks the back button of the explorer, is redirected
> to a noaccess page, fine, and so on as long as the user navigates back
> in the session, but when the user gets to the log on page, it recovers
> the POSTDATA and sets againg the session variable to true and anyone
> can see then the private area.

???
I am not sure what you are describing.
If a validated user uses the BACK button (The button that creates the most
headaches for serversideprogrammers), he is probably viewing cached pages.
If you disabled caching, maybe the browser makes a fresh request.

Now, if I have a var in my session like this:
$_SESSION["isAuthenticated"] = "Y";
it will remain in the session untill YOU remove it, or the session ends.
The BACK-button has little to do with that.

Be sure you know what is going on.

Try this for debugging:
Start all your pages you are investigating with:
<pre>
<? pring_r($_SESSION) ?>
</pre>

(after body-tag)

Now with this small addition you can easily see what session-data is on
which page.

Great way to debug.
If you have a life-site and do not want to spit out geeky information into
your visitors face, just put HMTL-commenttags around it, and use the
view-source to view the data.

>
> I have set the page not to be cached, but it does not work,.....

How?
In the browser or with extra headerinformation?


>
> Does anyonw how to solve this problem??
>

Soon you can yourself if you use the print_r debugging option. :-)

Regards,
Erwin Moller

> Thanks

[Back to original message]