|
|
Posted by Erwin Moller on 11/19/96 11:47
Nacho wrote:
> Hi Erwin
Hi Nacho,
>
> First, thanks for reply
> My english is not so good...
It is not bad either.
I can easily understand. :-)
Your first posting was a bit vague, but now I understand your problem.
>
> Anyway, lets take it from
>
>
> > Now if the user clicks the back button of the explorer, is
> redirected
> > to a noaccess page, fine, and so on as long as the user navigates
> back
>> in the session, but when the user gets to the log on page, it recovers
>> the POSTDATA and sets againg the session variable to true and anyone
>> can see then the private area.
>
> I will try to put a real example:
> Lets say that you are the user and you have been doing stuff in the
> private area, then after a while, you log off. Then the session is
> destroyed and also all its variables. Then you leave the internet-cafe
> but you dont close the Browser. Somebody else comes and start clicking
> on the back button; he/she gets redirected to a "non-access" page
> because there is no session anymore thus no session variable. BUT when
> he/she gets to the log on page (after having clicked x times).......the
> script gets executed again and the session is started and the value
> from $password is taken from the Cache (from logonHTML.htl page) and
> sucess the logon.
OK, this is the real problem.
You are afraid a lot of private pages are cached into the browsers memory
that can be retrieved easily by pressing the BACK button.
This IS a real problem, and you cannot 100% solve it.
You can however, try to tell the browser NOT to chache it.
BUT, if the browser has a will of its own, or is simply configured to store
all pages on disk/cache, you have little or no control.
I would suggest that you google a bit around because the problem you
describe is a famous one.
Here is a nice place to start.
http://www.htmlgoodies.com/beyond/reference/article.php/3472881
Remember however, YOU are not/never going to control the clientbrowser, and
everybody is free to build and release a browser that just ignores your
headers and WILL cache everything it wants untill 2050 and publish them in
a newspaper.
You are not controlling the browser. Period.
Once the browser received a response from the server, it is out of your
hands/control.
A lot of people can come up with tricks (in javascript maybe), but none will
be 100% secure.
So start with looking into the cachingproblem, make the best headers you can
come up with, and keep fingers crossed.
If that is not enough for you, you could add a few hurdles for people so the
simple BACK-button won't work.
One easy way is using AJAX to fill the page.
If somebody hits BACK, at least the page will be empty, because your
AJAX-scripts are configured to only respond if a valid session is found.
(Don't be afraid of AJAX, it is extremely simple. If you are interested,
this is a nice place to start: www.w3schools.com/ajax)
If security is a real concern of you, you might also want to look in the
secure sister of http, named https.
At least it transmits the data scrambled over the internet.
One last word on this: If you just want to block simple back-button access,
try one of the above suggestion. If you need real security, call in some
help from an experienced expert. Security is a very complex business.
Good luck.
Regards,
Erwin Moller
>
> I think I shoul have set as not cached (using headers) the
> logonHTML.php page whichi is the one that has the password textbox, I
> just realised now, but I can not try until I get home...
>
> This is more or less the code of these pages
>
> logon.php ************************************************************
>
> session start
>
> //here I set the page not to be cached
>
>
> header();
>
> if(isset($password) //name of the textbox
> {
> if(password is OK)
> {
> $_SESSION["isAuthenticated"] = "Y";
> echo 'log on is successfull';
> menu();
> }
> else
> {
> //log on form
> imports(logonHTML.html);
> fotter();
> exit();
> }
> }
>
> //log on form
> imports(logonHTML.html);
> fotter();
>
>
>
> logon.php ************************************************************
>
>
> ogonHTML.php
> ************************************************************
>
> <form>
> password textbox
> input button( action="")
> </form>
>
> ogonHTML.php
> ************************************************************
>
>
> Thanks anyway and I hope no to confuse you!!
[Back to original message]
|