Jump to content

Recommended Posts

I am building an app which requires a very secure environment. Because of this, I am using a form key on every POST, both for regular forms and also Ajax calls. This key is stored as a session variable, and is reset whenever a POST occurs. A validation script checks the submitted key against the servers key and kicks he user out of they don't match. This ensures POSTs are coming from a trusted source.  It works great, and I think has made the site very hard to attack or hack.  That said, it has broken the browsers back button. If I hit back, the old form key is posted, and they don't match and it kicks the user out. 

 

I don't want a broken back button, but not sure what to do. Any ideas??

 

James

Link to comment
https://forums.phpfreaks.com/topic/285451-back-button-form-key-issue/
Share on other sites

I'm a little confused. You state "This key is stored as a session variable". But, then you state "If I hit back, the old form key is posted". If it is a session variable then how is it in the POST data?

 

I'm curious what you are really trying to achieve here. What are you protecting against by having the key that changes on each POST load? Once you know you have a trusted user, can you not set a single, unique session variable and check that same value on every POST submission?

  • 2 weeks later...

Like @guru said not she if what you are going is needed but I must say I like it.  I have never heard or thought of doing it but will now think it over.

 

Now for your issue.  even if you did not have your key idea the issue of the back button (reload) always has been a problem.  What I did to solve it was for any form post it is done in a window that delete itself after the post so the user can never click the back button as it is no longer there for that window.  Now you do not need to actually use a NEW window you can use a modal one.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.