Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
""Michael A. Peters"" wrote in message news:49e4d4ca.7060...@mac.com... > scubak1w1 wrote: >> ""Michael A. Peters"" wrote in message >> news:49e41267.5010...@mac.com... >>> scubak1w1 wrote: I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. [snip] > > I don't know much about active directory but I thought one of the points > of AD was to eliminate the need for a user to log in since they are > already authenticated by the centralized AD system. Thanks Micheal for helping me clarify the situation, I appreciate your expertise... and sorry for the delay in replying, it has been a busy week so far! I am usings AD, as mentioned and as you probably inferred, so I don't have to sync credentials on "my" system with the 500± users in the AD... (i.e., when someone leaves the company, new hires, password changes, etc, etc) > If you want to use active directory as the only user authentication method > then as long as the browser sends the credentials it will verify and the > user is logged in. Yep, that is it - not forgetting that users may use the intranet site from the company internet site on PCs not logged on to the network... > You could probably use password _in addition to_ active directory to > authenticate a php session, allowing you increased security over just a > session token (IE browser has to send valid php session AND active > directory credentials) but if you want a user to have to login in addition > to active directory credentials, use php sessions on your server, and upon > succesful login w/ proper AD credentials set a session variable that says > they are authenticated. OK, that is where I am at now... glad to see I am following 'standard procedure' > When they log out, unset the session variable that says they are logged in > and expire the session. Then regardless of their AD credentials, they will > have to log in again to be verified by the session system. Now HERE is where I think I have having the issues... I can use PHP to log them off my site, server side, and hence "demand" to see their AD credentials again... BUT from my reading and understanding, the browser is caching this info - and so when it "sees" the request for AD credentials it says "oh, I have those from a few minutes ago, here you go..." (i.e., the same browser session on the clients side if they haven't closed their browser in the meantime...), thereby relogging them on server side - but I > SSL doesn't do anything magic as far as user authentication is concerned, > it simply provides a public/private key encryption so that (theoretically) > only the browser can decrypt what the server sends and only the server can > decrypt what the browser sends. That distinction is useful to know / be reminded about, thank you - since IIS integrates SSL and AD transparently to me as a non-IT-admin person, I guess I was not making that distinction clearly enough... So (assuming I have this right) is there a way to have PHP clear the user's browser cache of the appropiate AD credentials if the user is in the same browser session and then move to, say, www.google.com? Or should I be looking at some JS? Or expending my efforts on other 'projects'? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
scubak1w1 wrote: ""Michael A. Peters"" wrote in message news:49e41267.5010...@mac.com... scubak1w1 wrote: I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. I have been Googling et al. for a way to log the user off the site "fully"... I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in... Sounds like you are not properly expiring the session. The only login credentials that ever should be stored with the client is a session id. Expire the session id - and the session ID in their cookie becomes completely meaningless. OK, I will go back and reread... My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is: //grab the logged on user, depending on whether they logged on with the domain prepended if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0) { //the logon has a domain prepended before the 'actual' UID list($logged_on_domain, $logged_on_user) = split('', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) "[domain]\" portion and essentially discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped* } else { //no domain (assume) prepended before the back slash, so just the 'actual' UID $logged_on_user = $_SERVER['REMOTE_USER']; }; I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in... So maybe my "logging off" question is not really PHP-specific? Hmmm I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you... I don't know much about active directory but I thought one of the points of AD was to eliminate the need for a user to log in since they are already authenticated by the centralized AD system. If you want to use active directory as the only user authentication method then as long as the browser sends the credentials it will verify and the user is logged in. You could probably use password _in addition to_ active directory to authenticate a php session, allowing you increased security over just a session token (IE browser has to send valid php session AND active directory credentials) but if you want a user to have to login in addition to active directory credentials, use php sessions on your server, and upon succesful login w/ proper AD credentials set a session variable that says they are authenticated. When they log out, unset the session variable that says they are logged in and expire the session. Then regardless of their AD credentials, they will have to log in again to be verified by the session system. SSL doesn't do anything magic as far as user authentication is concerned, it simply provides a public/private key encryption so that (theoretically) only the browser can decrypt what the server sends and only the server can decrypt what the browser sends. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
""Michael A. Peters"" wrote in message news:49e41267.5010...@mac.com... > scubak1w1 wrote: >> I have a series of web sites which use https:// authentication (using AD >> integration to 'check the credentials' as it were) - all seems to be >> working well.. >> >> I have been Googling et al. for a way to log the user off the site >> "fully"... >> >> >> I can do a series of things on the server side per Dreamweaver's Server >> Behaviour / User Authentication | Log Out User, etc - but the client's >> browser cache (?) still keeps the credentials, and so ifthey return to >> the site (say, with their back button) they can get right back in... > > Sounds like you are not properly expiring the session. > The only login credentials that ever should be stored with the client is a > session id. > > Expire the session id - and the session ID in their cookie becomes > completely meaningless. OK, I will go back and reread... My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is: //grab the logged on user, depending on whether they logged on with the domain prepended if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0) { //the logon has a domain prepended before the 'actual' UID list($logged_on_domain, $logged_on_user) = split('', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) "[domain]\" portion and essentially discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped* } else { //no domain (assume) prepended before the back slash, so just the 'actual' UID $logged_on_user = $_SERVER['REMOTE_USER']; }; I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in... So maybe my "logging off" question is not really PHP-specific? Hmmm I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you... Regards, GREG... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
scubak1w1 wrote: Hello, I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. I have been Googling et al. for a way to log the user off the site "fully"... I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in... Sounds like you are not properly expiring the session. The only login credentials that ever should be stored with the client is a session id. Expire the session id - and the session ID in their cookie becomes completely meaningless. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
Hello, I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. I have been Googling et al. for a way to log the user off the site "fully"... I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in... the only sure fire way that I can see, simply, is to close and reopen the browser. Any thoughts on how to clear the user's browser's cache of a https:// site's credentials and then send them on to a non-secure page? I thought of: a.. closing and reopening the browser with some JS, if this is indeed possible - buT I would need to somehow keep track of what other pages the user had open, their security settings might now allow it, the user would likley get annoyed, etc, etc b.. "forcing" a 401 or 403 - but my attempts at 'coding' this were unsuccessful - and also how do you get the page to redirect on to something like www.adobe.com or something (because seeing a 403 'standard page message' would likely be "alarming" to the average user c.. I have some code in ASP that will do this, but the user would be have to be limited to using Internet Destroyer -ugh! :-) Thanks In Advance: GREG... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php