RE: [PHP] Re: session_unregister - but w00t about the back button?
I did a :
session_unregister('xxx');
session_destroy();
header("Location: http://www.xxx.com/xxx";);
and mozilla is the only browser out of ie6 netscape 4.7 and mozilla to
respect the logout and not repost the data on reload or back request.
Go mozilla. I guess the big boys somewhere are taking a nap.
-Original Message-
From: Justin French [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 30, 2002 10:32 PM
To: victor; 'Richard Lynch'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: session_unregister - but w00t about the back
button?
If you were REALLY concerned, you could use JavaScript (JavasCrap) to
open a
new window and close the parent... this way there would be no such thing
as
a "back" button... it'd be disabled.
I think later version of JS can empty the history too (unsure though).
It's not going to be fool proof for those w/o JS, but it would be an
added
level of security...
Justin
on 31/08/02 12:12 PM, victor ([EMAIL PROTECTED]) wrote:
> K, thanks, i will sort of realized this, but I was wondering if the
user
> is silly enough to leave the browser window open then someone can
press
> the back button and go back, I will probably write a message somewhere
> to tell the user to close the browser window.
>
> To the one who asked about the session_destroy thingie, I did that and
I
> did session_unregiste(blah) but does the order of these two count?
>
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 30, 2002 9:27 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: [PHP] Re: session_unregister - but w00t about the back
button?
>
>> I can logout with session_unregister - but w00t about the back
button?
>>
>> This is probably so trivial that it has been discussed before, if
> anyone
>> has some knowledge or link at hand mind passing it on? Thanks.
>
> If you are using Cookies, then everything is fine. Their cookies will
> be
> gone, and the back button will not alter that.
>
> If you pass the SID through the URL, and do session_unregister, again,
> they'll "see" the old data maybe, but as soon as they move forward,
the
> "new" data will be in force.
>
> If you're worried about the back button and Security, you can try some
> headers() to convince the browsers not to cache (search archives for
> "no-cache") but the bottom line is going to be "User Education" They
> either
> *quit* the browser, or risk that it's a stupid broken browser that
> ignored
> your request not to cache the data.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__
Post your free ad now! http://personals.yahoo.ca
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session_unregister - but w00t about the back button?
If you were REALLY concerned, you could use JavaScript (JavasCrap) to open a new window and close the parent... this way there would be no such thing as a "back" button... it'd be disabled. I think later version of JS can empty the history too (unsure though). It's not going to be fool proof for those w/o JS, but it would be an added level of security... Justin on 31/08/02 12:12 PM, victor ([EMAIL PROTECTED]) wrote: > K, thanks, i will sort of realized this, but I was wondering if the user > is silly enough to leave the browser window open then someone can press > the back button and go back, I will probably write a message somewhere > to tell the user to close the browser window. > > To the one who asked about the session_destroy thingie, I did that and I > did session_unregiste(blah) but does the order of these two count? > > -Original Message- > From: Richard Lynch [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 30, 2002 9:27 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [PHP] Re: session_unregister - but w00t about the back button? > >> I can logout with session_unregister - but w00t about the back button? >> >> This is probably so trivial that it has been discussed before, if > anyone >> has some knowledge or link at hand mind passing it on? Thanks. > > If you are using Cookies, then everything is fine. Their cookies will > be > gone, and the back button will not alter that. > > If you pass the SID through the URL, and do session_unregister, again, > they'll "see" the old data maybe, but as soon as they move forward, the > "new" data will be in force. > > If you're worried about the back button and Security, you can try some > headers() to convince the browsers not to cache (search archives for > "no-cache") but the bottom line is going to be "User Education" They > either > *quit* the browser, or risk that it's a stupid broken browser that > ignored > your request not to cache the data. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: session_unregister - but w00t about the back button?
K, thanks, i will sort of realized this, but I was wondering if the user is silly enough to leave the browser window open then someone can press the back button and go back, I will probably write a message somewhere to tell the user to close the browser window. To the one who asked about the session_destroy thingie, I did that and I did session_unregiste(blah) but does the order of these two count? -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 9:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [PHP] Re: session_unregister - but w00t about the back button? >I can logout with session_unregister - but w00t about the back button? > >This is probably so trivial that it has been discussed before, if anyone >has some knowledge or link at hand mind passing it on? Thanks. If you are using Cookies, then everything is fine. Their cookies will be gone, and the back button will not alter that. If you pass the SID through the URL, and do session_unregister, again, they'll "see" the old data maybe, but as soon as they move forward, the "new" data will be in force. If you're worried about the back button and Security, you can try some headers() to convince the browsers not to cache (search archives for "no-cache") but the bottom line is going to be "User Education" They either *quit* the browser, or risk that it's a stupid broken browser that ignored your request not to cache the data. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Post your ad for free now! http://personals.yahoo.ca -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session_unregister - but w00t about the back button?
>I can logout with session_unregister - but w00t about the back button? > >This is probably so trivial that it has been discussed before, if anyone >has some knowledge or link at hand mind passing it on? Thanks. If you are using Cookies, then everything is fine. Their cookies will be gone, and the back button will not alter that. If you pass the SID through the URL, and do session_unregister, again, they'll "see" the old data maybe, but as soon as they move forward, the "new" data will be in force. If you're worried about the back button and Security, you can try some headers() to convince the browsers not to cache (search archives for "no-cache") but the bottom line is going to be "User Education" They either *quit* the browser, or risk that it's a stupid broken browser that ignored your request not to cache the data. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session_unregister - but w00t about the back button?
did you also destroyed the session? -- Merci de nous avoir choisi. - Thanks you for your choice. Nicos - CHAILLAN Nicolas [EMAIL PROTECTED] [EMAIL PROTECTED] www.GroupAKT.com - Hébergement Group. www.WorldAKT.com - Hébergement de sites Internet "Victor" <[EMAIL PROTECTED]> a écrit dans le message de news: 01c24fe2$bbed4ed0$[EMAIL PROTECTED] > I can logout with session_unregister - but w00t about the back button? > > This is probably so trivial that it has been discussed before, if anyone > has some knowledge or link at hand mind passing it on? Thanks. > > - Victor > www.argilent.com > > > __ > Post your free ad now! http://personals.yahoo.ca -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
