Jump to content
Larry Ullman's Book Forums

Browser Back Button Allows To Access Accounts Even After Log Out


Recommended Posts

Hello: 

 

I am reading this book and following on the examples. I finished the ex1 and I am testing the site.

 

I notice that When i Log out from an account then refresh the page I go back to the index.php (which is OK). Now the problem is when i use the back button of the browser. If i go back to the log out page then back again (to the page where I logged out from) at first there will be an error, but if i refresh the page There i am logged back in with all the credentials as if i never logged out.

 

This of course is a flaw. Imagine I am on an public place and I log out of a site and go. then someone (accidentally or maliciously) sits on the same pc and hits back on the browser twice and all of a sudden he is logged in on my account.

 

My question is: How can i fix this security hole ? can someone point me in the right direction? Thank you. By the way Mr Ullman, if you reading this GREAT BOOK!!!. Sorry for the long post. Thank you in advance to all who answer.

Link to comment
Share on other sites

Thanks for the nice words. I really appreciate it. 

 
I suspect what you're seeing is due to browser caching. To confirm this, I'd close the browser window and then try to re-access the page in a new window. You can also print the contents of $_SESSION on that page to confirm that the session was actually deleted. 
Link to comment
Share on other sites

I confirm if i Close the browser of course I cannot access the page. There is no information in the browser back button stack to get the error and the page cannot be access without the session variables. I output the session array after i log out and it is indeed empty.

I think this error is more on how the login process is done than the output. It is as if when i press the back button on the browser my login form gets re submitted and I am all of a sudden back on the site.

 

One solution I thought about was completely separating the login process (i.e. having a page alone by itself do the login form and log in by redirecting the page to the index.php) in this case the headers would change and I do not think i would have this problem, what do you think?

 

but again I really like the design of having the login as it is in the book. I will keep trying to find a solution. If someone can find one Please share =). Thank you again MR. Ullman... Again great book, I am planning on buying some more of your collection. =)!!! keep on writing !!!!

Link to comment
Share on other sites

  • 2 weeks later...

Hello Mr. Ullman. Yes please, I do still need help with this. I have tried different forums and methods to avoid that from hapenning. Changing headers to avoid browser chaching pages and others. but I still have the problem I you, or anyone reading the forum could help me out I would very much appreciate it. Thank you again.

Link to comment
Share on other sites

  • 3 weeks later...

OK, after so much research (and a lot of trial and error). I found the solution to the problem.

 

Here it is :

 

Since browsers cache the pages and every time you visit a site or press the back button all you received is the cached version of the page (including the information that was submitted on a form). When you press the back button the cache version of the page will be taken ( in the case of the login the Resubmit Form page will appear and if you refresh you are back on).

 

The solution is not letting the browser cache the page that has the submission. So to do this we just need to change the "header" to something else so that the browser chaches something different than the login info.

 

For those who do not understand (and i am pretty sure nobody will get my vague ideas and mind mess till they try it lol). Try to do this on the application. 

 

Add the following line of code on your login.inc.php right after you set all the session variables.

(right at the end of the password_verify conditional)

 

if (password_verify($p, $row['pass'])) {

//all the code here

 

header('Location: index.php') // this is the line that will fix the error

}

 

the solution i found it reading this article 

http://en.wikipedia.org/wiki/Post/Redirect/Get

 

I am aware that I probably did not give the most clear explanation out there so if there are any doubts and someone still has this problems please just ask your question and i will happily help out. Thanks and sorry for the long post.

Link to comment
Share on other sites

  • 3 weeks later...

Ugh! So so so sorry for not being more helpful here. Thanks for sharing the solution. I really appreciate it. I think your explanation of the solution is very good, but let me know if you still have any questions. I promise to reply more quickly!

Link to comment
Share on other sites

 Share

×
×
  • Create New...