Well then pseudo-code a bit not correct; I think it should be like:
<?
// session start
if session registerred {
// Do whatever you need
}
else{
// logout
}
?>
But what about such case:
Let we have 3 pages:
1) login page(user enters credentials and redirected to page2)
2) secure page (where we validate user, register sess. vars. etc). Than user
clicks "logout" and redirected to page3.
3) logout page. We destroy session and logout user.
If at this point user clicks Back button he/she will get message "Warning:
page expired" (this is secure page). Because browser
still has credentials entered on page 1(login page) pressing refresh button
starts new session and secure page is accesible.
How this problem can be fixed?
Stas
"Vladislav Kulchitski" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I think the method Kevin mentioned is the best.
In other words, on every secure page you have a script that checks is a
session registered. IF it is, it lets you go through and execute the rest of
the script if not, simply tells you to login that's it. Very simple, if
interested I can show example.
Vlad
-----Original Message-----
From: Stanislav Skrypnik [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 17, 2003 7:30 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: Question about using session and "logging out"
Hi Kevin,
I don't well understand this part:
> if active session {
> // validate privs for this page
Can you give small example?
TIA,
Stas
"Kevin Stone" <[EMAIL PROTECTED]> wrote in message
019501c2be78$4ad0dc30$6601a8c0@kevin">news:019501c2be78$4ad0dc30$6601a8c0@kevin...
> Don,
>
> The only method that I have discovered to protect the login against the
> back-button is to validate the session at the top of each and every
> protected page. Forgive the psuedo code..
>
> <?
> if active session {
> // validate privs for this page
> // session start
> }else{
> // logout
> }
> ?>
>
> When the back button is pressed it goes through this process, sees that
> there is no active session, goes to else and shunts back to the login
> screen.
>
> Hope that helps,
> Kevin
>
> ----- Original Message -----
> From: "Bobby Patel" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 17, 2003 3:26 PM
> Subject: [PHP] Re: Question about using session and "logging out"
>
>
> > I believe there something (a meta tag?) called meta-refresh or just
> > refresh.
> >
> > But I believe you have to set the refresh interval. and if you set the
> > interval to small it might eat your server's resources.
> >
> > OR I just thought of this, sometimes when you get to a page (usually
with
> > forms?) it says that the page is expired and must be refreshed. Maybe
you
> > can get that behaviour, so that when someone hits back, they have to
> > refresh.
> >
> > Bobby
> >
> > "Don" <[EMAIL PROTECTED]> wrote in message
> > 020401c2be4f$c5420fd0$c889cdcd@enterprise">news:020401c2be4f$c5420fd0$c889cdcd@enterprise...
> > Hi,
> >
> > I have an application that uses sessions to allow customers to access a
> > restricted area. That is, they are prompted for a user login and
> password.
> > I then use sessions to track each customer. At the top of each page, I
> have
> > placed the following PHP code:
> >
> > session_cache_limiter('Cache-control: private');
> > session_start();
> >
> > Everything works fine. However, I have a logout link that when clicked,
> > runs the following PHP code (where userid is the login name):
> >
> > session_cache_limiter('nocache');
> > if (isset($HTTP_SESSION_VARS['userid'])) {
> > $HTTP_SESSION_VARS['userid'] = '';
> > session_unregister($HTTP_SESSION_VARS['userid']);
> > }
> > session_unset();
> > session_destroy();
> > Header('Location: ' . 'http://www.lclnav.com' . $globals->relative_path
.
> > 'customerlogin_standard.html');
> >
> > I think the above is all that is needed to end the session. I use the
> > Header() function to take the user back to the login page.
> >
> > Here is my question: Once I click on the "logout" link and am taken
back
> to
> > the main login page, I can click on the browser BACK button and still
get
> my
> > previous page 'as if I was still logged in'. Please note that clicking
on
> > REFRESH tells me that I am not really logged in.
> >
> > I know that browsers cache pages and there may not be anything I can do,
> > however, I have seen sites that seem to work around this; i.e..,
clicking
> on
> > the back button loads a pages telling the user that they are no longer
> > logged in. This is what I want to emulate. Is there a PHP method to
> always
> > force a reload the first time a page is called?
> >
> > Thanks,
> > Don
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
