Hi Kevin,
I don't well understand this part:
> if active session {
> // validate privs for this page
Can you give small example?
TIA,
Stas
"Kevin Stone" <[EMAIL PROTECTED]> wrote in message
019501c2be78$4ad0dc30$6601a8c0@kevin">news:019501c2be78$4ad0dc30$6601a8c0@kevin...
> Don,
>
> The only method that I have discovered to protect the login against the
> back-button is to validate the session at the top of each and every
> protected page. Forgive the psuedo code..
>
> <?
> if active session {
> // validate privs for this page
> // session start
> }else{
> // logout
> }
> ?>
>
> When the back button is pressed it goes through this process, sees that
> there is no active session, goes to else and shunts back to the login
> screen.
>
> Hope that helps,
> Kevin
>
> ----- Original Message -----
> From: "Bobby Patel" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 17, 2003 3:26 PM
> Subject: [PHP] Re: Question about using session and "logging out"
>
>
> > I believe there something (a meta tag?) called meta-refresh or just
> > refresh.
> >
> > But I believe you have to set the refresh interval. and if you set the
> > interval to small it might eat your server's resources.
> >
> > OR I just thought of this, sometimes when you get to a page (usually
with
> > forms?) it says that the page is expired and must be refreshed. Maybe
you
> > can get that behaviour, so that when someone hits back, they have to
> > refresh.
> >
> > Bobby
> >
> > "Don" <[EMAIL PROTECTED]> wrote in message
> > 020401c2be4f$c5420fd0$c889cdcd@enterprise">news:020401c2be4f$c5420fd0$c889cdcd@enterprise...
> > Hi,
> >
> > I have an application that uses sessions to allow customers to access a
> > restricted area. That is, they are prompted for a user login and
> password.
> > I then use sessions to track each customer. At the top of each page, I
> have
> > placed the following PHP code:
> >
> > session_cache_limiter('Cache-control: private');
> > session_start();
> >
> > Everything works fine. However, I have a logout link that when clicked,
> > runs the following PHP code (where userid is the login name):
> >
> > session_cache_limiter('nocache');
> > if (isset($HTTP_SESSION_VARS['userid'])) {
> > $HTTP_SESSION_VARS['userid'] = '';
> > session_unregister($HTTP_SESSION_VARS['userid']);
> > }
> > session_unset();
> > session_destroy();
> > Header('Location: ' . 'http://www.lclnav.com' . $globals->relative_path
.
> > 'customerlogin_standard.html');
> >
> > I think the above is all that is needed to end the session. I use the
> > Header() function to take the user back to the login page.
> >
> > Here is my question: Once I click on the "logout" link and am taken
back
> to
> > the main login page, I can click on the browser BACK button and still
get
> my
> > previous page 'as if I was still logged in'. Please note that clicking
on
> > REFRESH tells me that I am not really logged in.
> >
> > I know that browsers cache pages and there may not be anything I can do,
> > however, I have seen sites that seem to work around this; i.e..,
clicking
> on
> > the back button loads a pages telling the user that they are no longer
> > logged in. This is what I want to emulate. Is there a PHP method to
> always
> > force a reload the first time a page is called?
> >
> > Thanks,
> > Don
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
