user can log back in in IE after logging out by hitting back button_问答_开发者

user can log back in in IE after logging out by hitting back button

开发者 https://www.devze.com 2023-01-09 07:33 出处：网络

I am using a PHP login script that challenges user for username & password. Once authenticated program stores a session value. On logout, session value is

I am using a PHP login script that challenges user for username & password.

Once authenticated program stores a session value. On logout, session value is set to blanks.

Here is the problem:

In IE 8 (not Firefox), user can hit back button a few times until the screen which shows "Web Page has expired" message. This is likely the login screen.

If he p开发者_开发问答resses F5, it looks like username and password are still hanging around in POST variables and he gets logged back in.

It sounds like you are not actually deleting the session on the server, rather you are clearing the sessionID in the URL (or something) on the client. So when the backbutton is pressed it tries to resubmit the sessionid is passed along and your server is accepting it.

The pages are just being cached by the client and when they press back, it loads from the cache. When they force the refresh, it reloads the page without the variables.

You are going to need to do a session based verifier to fix this. You pass to your login form a hidden field with random verifier string. Store the random string in session and use the reposted hidden field to verify against this identifier. After confirming login regenerate the verifier so next time the form is posted the verifier is incorrect and the back button post doesn't work.

after you post your login form and verify/login/everything, do a header('location:someOtherPage.php) redirect to another page. Then the form will not be able to be re-posted by pressing f5. For example:

//login.php
<?php
//no cache headers if you want.
session_start();
if(isset($_POST) && !empty($_POST)){
    //validate user & pass. if valid set session then...
    if(is_valid_user()){
        //set session
        $_SESSION['loggedIn'] = true;
        //close session. this prevents problems with vars not
        //setting when using a header redirect because you redirect
        //before the session file can write.
        session_write_close();
        //redirect to another page
        header('location:loggedIn.php');
        //stop the script from running
        exit;
    } else {
        echo "<div class='error'>Login failed.</div>";
    } 
}
//echo login form.

?>

a header redirect doesn't show up in the history so when pressing back they will not see the page that allows you to repost the form.