uncleronin Posted February 9, 2007 Share Posted February 9, 2007 Howdy. I'm currently developing a site which uses cookies to maintain authentication information. It uses a basic login/logout system which involves setting an auth cookie once a user is logged in successfully and the auth cookie expires when the user logs out/15 minutes is up/the browser is closed. Once a user logs out and the auth cookie is deleted I prevent them from going back to the authenticated pages by using: header("Cache-control: no-cache, no-store"); header("Expires: " . gmdate("D, d M Y H:i:s") . " GMT"); So when a user goes back the pages are reloaded and detect that the cookie isn't set (this way the cookie changes are detected right away) and redirects to the main page. What I'm trying to find out is if there is a better, alternative method to this? Are the images on the pages still cached? (I think IE keeps them - can still see them in temp internet files folder after closing browser - but I dont know about firefox). I'm guessing that the actual pages (the text, etc. not images) are refreshed? I've seen all sorts of methods for going about this but everybody does it in a different way and some of them are ridiculous! Oh yes, the images WILL NOT CHANGE unless I do a complete redesign of the site (in a few years time) so I don't need to refresh them. I dunno about you but I've seen plenty of PHP sites/forums which do this kind of thing but I can't find out the correct way TO do thhis! Argh! EDIT: I've just tested the caching with firefox and IE and they both cache the images regardless so only the actual page itself is reloaded. Anyone have any ideas about the rest? Quote Link to comment Share on other sites More sharing options...
uncleronin Posted February 12, 2007 Author Share Posted February 12, 2007 *bump* Has anyone got an idea or is everyone completely not interested? Quote Link to comment Share on other sites More sharing options...
thepip3r Posted February 12, 2007 Share Posted February 12, 2007 So when a user goes back the pages are reloaded and detect that the cookie isn't set (this way the cookie changes are detected right away) and redirects to the main page. What I'm trying to find out is if there is a better, alternative method to this? so what is your question??? it's not very clear which might be why you're not getting replies. are you trying to find a different way to detect/store/manage cookies or some way to make the page check if cached files exist on the target computers local system? if so, that's all handled by the browser not the page. Same with a proxy; if it supports caching, then the caching recall happens at the proxy level, not the page/site lvl. Quote Link to comment Share on other sites More sharing options...
uncleronin Posted February 13, 2007 Author Share Posted February 13, 2007 ??? I'm basically trying to find out the best way to handle authentication and authorisation on the site. So that only logged in users can view site pages. Once they've logged out they must be unable to view any site pages until they've logged in again (even if they press the back button they are redirected to the login page since not authenticated). At the moment i have this in place (like i mentioned) but I want to know if this is a good way to do this? I've only just started using php and doing web design so I have very little experience and dont know about the best practices. I've only ever worked with windows apps so I'm pretty much flailing around at the moment. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 13, 2007 Share Posted February 13, 2007 you need to learn SESSIONS and then your get the ansaw of your quistion ok. if a user is logged in with a session set then that user can veiw the page but if thay are not logged in and got no session then thay dont get to see the page or pages. do a tutoral on membership/login scripts ok. Quote Link to comment Share on other sites More sharing options...
uncleronin Posted February 14, 2007 Author Share Posted February 14, 2007 I know how to use sessions but they are NOT the answer. I don't want users to be able to close the browser, reopen it and still have access to restricted pages. That kinda defeats the point since anybody can reopen the browser once the legitimate user has left and access the same pages (provided the session is till active). One of my main goals is to make allowance for the fact that a user wont always logout, but might close the browser instead. If sessions are used, the session remains active once the user has closed the browser (since the server will be holding the session variables until the session expires). Plus I don't want the server to have any more overhead than is necessary. Sessions would have been okay, but unless there is someway for the server to know that a user has closed the browser (without using javascript, continuous refreshing, timers or some other scripts) they are out of the question. Security is an issue since confidential information is on the line. Obviously cookies are a bit of a problem since they can be read and are sometimes disabled but in this instance the users all have cookies enabled and the majority know nothing about cookies. If the user logs out or the browser is closed, the cookies are removed so there is little chance of them being seen by an outsider. At the moment, using cookies and the cache settings from my first post - any cookies I set are detected immediately and can be used right away (thanks to the 'reload') and the pages are quite secure (using tiny authentication scripts I've written). Obviously its not foolproof, nothing is, but it accomplishes everything i need. The goal of this post was to find out the best/correct way to do these kinds of things. I've done plenty of web searching and a lot of people dont know what they're doing! They simply try something, it works and the presume it to be the best/only way. Even with my current amount of experience in PHP I can see when someone is doing something incorrectly/risky. Since I'm still new to PHP I thought I'd post here to see any of the people who actually know what they're doing have alternatives or can find flaws in my way of doing things (I'm sure there are plenty!) so I can make sure what I am doing is as correct as possible. *breathes* I realise that my post is quite long and very susceptible to flaming but could somebody please give me a solid answer? Referring me to tutorials doesn't do me all that good since the majority aren't all that secure. I need to understand the underlying concepts rather than simply copy-pasting someone else's code (like most folks nowadays unfortunately). God, I sound like I'm whining. In any case, any help you guys/gals can offer would be appreciated. Ah, its raining... *wanders around in the rain* Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 14, 2007 Share Posted February 14, 2007 once a page is closed around a 1 min the session is dead so what the problam i have used sessions for years no problams sessions rock. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted February 14, 2007 Share Posted February 14, 2007 not sure if this is possible using the current technoligies, but here is an idea i thought of after reading your rather large post, which i didnt actually read all of... If there is a way in javascript to find out when the user closes the browser, use AJAX to tell PHP to terminate the session. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 14, 2007 Share Posted February 14, 2007 if you want to be vage and relly want all users to have there session destroyed you could set a session for login to be only for example 30 min then it logs them off. if the user wants to stay for more time then there have to relogin ok. Quote Link to comment Share on other sites More sharing options...
uncleronin Posted February 15, 2007 Author Share Posted February 15, 2007 once a page is closed around a 1 min the session is dead so what the problam i have used sessions for years no problams sessions rock. Are you absolutely sure about that? I've read in a lot of places that sessions only expire when they have reached the end of their lifetime. Plus, doesn't this also depend on the server? If it does close after 1 minute then how does that work? I can't see the browser constantly polling the server to let it know the session is still active or inactive. not sure if this is possible using the current technoligies, but here is an idea i thought of after reading your rather large post, which i didnt actually read all of... If there is a way in javascript to find out when the user closes the browser, use AJAX to tell PHP to terminate the session. For this I was wondering if it wasn't maybe possible to use the OnUnload event. The thing is I'm trying to use JavaScript as little as possible. Alot of corporate companies disable JavaScript because of how insecure it can be (obviously this depends on the browser *cough* IE *cough*). In comparison JavaScript is hellishly more insecure than using cookies so cookies are the best choice. Porbably the biggest reason to not use JavaScript is that my scripts are visible and the last thing I need is for some malicious person to read them and find out how my site works. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.