how to make a logon page more secure?

[cluce]

I am trying to prevent the logon and previous buttons from logging in a user. Even after they log out.  can someone me any suggestions on how to disable this?? What code or functions could I use??

[redarrow]

sorry what?

[trq]

Try using the header function to prevent caching. eg;

 

<?php

  header("Cache-Control: no-cache, must-revalidate");
  header("Expires: Mon, 01 Jan 1900 00:00:00 GMT");

?> 

[taith]

on the pages that are secured by user, just put the

if_empty($_SESSION[yoursessvar]) header(direct me away);

or whatnot...

[cluce]

I was talking about on the internet browsers.........I am trying to prevent the user from logging on with the next and previous buttons on the browser. Even after they log out.  can someone me any suggestions on how to disable this?? What code or functions could I use??

 

thanks for your replies. I will check it out.

[cluce]

here is the code I am using .......can someone tell me how to modify this on how I can do this.....

 

<?php

//check for required fields from the form

if ((!isset($_POST["username"])) || (!isset($_POST["password"]))) {

header("Location: userlogin.html");

exit;

}

 

//connect to server and select database

$mysqli = mysqli_connect("localhost", "root", "", "test");

 

//create and issue the query

$sql = "SELECT f_name, l_name FROM auth_users WHERE username = '".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')";

$result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

 

//get the number of rows in the result set; should be 1 if a match

if (mysqli_num_rows($result) == 1) {

 

//if authorized, get the values of f_name l_name

while ($info = mysqli_fetch_array($result)) {

$f_name = stripslashes($info['f_name']);

$l_name = stripslashes($info['l_name']);

}

 

//set authorization cookie

setcookie("auth", "1", 0, "/", "yourdomain.com", 0);

 

//directs authorized user

header("Location: logon.php");

 

//prevents cache of logon info

  header("Cache-Control: no-cache, must-revalidate");

      header("Expires: Mon, 01 Jan 1900 00:00:00 GMT");

 

} else {

//redirect back to login form if not authorized

header("Location: registration.html");

exit;

}

?>

<html>

[taith]

you cannot disable the back/forward buttons, however if you turn off your cache, and verify if the user is logged in on all of your "secured" spots... if they press back, it'd redirect them to a different page...

[cluce]

well how do you tunr off the cache? The code that was posted didn't seem to work. at least in the places where I coded. 

[taith]

header("Cache-Control: no-store, no-cache, must-revalidate");

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

header("Cache-Control: post-check=0, pre-check=0", false);

header("Pragma: no-cache");

 

there goes any/all forms of cache

[cluce]

cool; thanks.

 

if you can tell me . but where do I put that code in my page?

[pocobueno1388]

If you have a header file, it would be best to put it at the top of that script. Then it will be in effect on every page the users click. Or if you are just worried about your "logout" page...put it at the top of the logout script...