[SOLVED] User-Pass showing in URL

[Grant Holmes]

I thought I had this beat months ago, but when I set up my stuff on a new server the problem is back and I have no clue how I beat it last time.

 

Back then, when I logged out, I could use the back button and go right back into the "secured" pages. THAT is fixed, but the username and password are still showing in the address bar:

http://www.mydomain.com/secure/data.php?SECemailpass=&SECloginusername=admin&SECloginpassword=Th3PassW0rd&SEClogin=Login

I know one person that helped then told me it was the difference between "Get" and "Post", but I'm not sure I even remember that as correct. I don't remember if that solved the "back button" issue or the URL issue. At this time, if I log out, I cannot go back and view pages (I go back to log in).

 

So, how do I fix the user/pass showing in the Address bar and being part of the history file?

 

I THINK I'm posting the relevant portion of my log-in code:

 
  <input type='hidden' id='SECemailpass' name='SECemailpass' value=''>

  <center>

  <table style='font:10pt arial;'>

    <tr>

      <td>Username:  </td>

      <td><input type='text' name='SECloginusername' value='<?php echo $_REQUEST['SECloginusername']; ?>'></td>

    </tr><tr>

      <td>Password:  </td>

      <td><input type='password' name='SECloginpassword' value='<?php echo $_REQUEST['SECloginpassword']; ?>'>

        <span style='font-size:8pt'>

        <a href='javascript:SECEmailPassword();'>Forgot your password?</a>

        </span>

      </td>

    </tr><tr>

      <td></td>

      <td align='center'><input type='submit' name='SEClogin' value='Login'></td>

    </tr>

  </table>

[papaface]

Why on earth are you sending the password through the URL ???

[tinker]

can you show just before where you've started, the form opening tag, with the bit that states the method (it should be post)

[Grant Holmes]

Papaface: This was written for me 2-3 years ago by a programmer... I have no idea. I was told that it was the function of the way the form was done. I'm really weak in PHP.

 

Tinker, Sorry, I thought I'd done that.

  <form id='SECloginform' name='SECloginform' method='get' action='<?php echo basename($PHP_SELF); ?>'>

 

It appears its using "get"

[adam291086]

You should be using post, then have a script that uses these posted variables to verify the users login credentials. Google php authentication tutorials. There are hundreds of them out there

[tinker]

Change this:

  <form id='SECloginform' name='SECloginform' method='get' action='<?php echo basename($PHP_SELF); ?>'>

to

  <form id='SECloginform' name='SECloginform' method='POST' action='<?php echo basename($PHP_SELF); ?>'>

and since it seem's your using $_REQUEST['*'] statements you should be ok, if not then you may need to change the appropiate $_GET['*'] statements to $_POST['*'] or to be sure $_REQUEST['']...

 

Halfway down this page there's some information on the subject.

[Grant Holmes]

Adam & Tinker. Thanks. I changed the "get" to "POST" and all appears well.  The script does do authentification and uses a MySQL backend to track log-ins, etc. It's really a pretty nice piece of code...for the most part.

 

Anyhow, Am I correct in thinking that this issue on logging in (and seeing/not seeing the stuff in the address bar) has nothing to do with logging out and being able to "go back" to a viewable page or log in page as described above?

[tinker]

Nothing at all!

GET's become part of the URL, and POST's are sent multipart (somewhat hidden), neither way is truly safe, you'd want to be using https or some js encryption for that...

[Grant Holmes]

I just didn't want it to be so easy (like jumping into history) to be able to log in.

 

Using https for what we're doing is probably overkill.

 

So, now I'm noticing that the LOG OUT thing I thought I had beat, isn't. Before, I thought just days ago (NOW what did I break!??!?!), when I hit the logout link, and went BACK (browser button) I went back to the log in page. Now I get a "this page displaying post data" warning and I'm back in my secure page.

 

Sigh  ???

 

This code is further down in that code for when you hit the log out link. Is this helpful to troubleshoot that?

...}

function SECShowLogoutLink() {

  global $SEClogoutstyle;

  echo "<a style='$SEClogoutstyle' href='".basename($PHP_SELF)."?SEClogout=1'>logout</a>";

}...

[adam291086]

where do you call on that function in your script.

[revraz]

That's because it used POST data to send the info, so if you go BACK, then it tries to post it again.

 

So on the logout page, do a header re-direct out of it, so if they hit BACK, it just brings them back to the logout again.

[tinker]

Your browser stores the POST information, I bet if you go back even the form fields are still filled in! Different issue, only way around is to generate an id when you generate every page and then only allow that id to be processed once, but if you say https is too much then this protocols will be for sure!

[Grant Holmes]

In a php file where we hold some variables, I have this:

//
// Modify the URL to point to the logout page. This must be a complete URL.
// This is the page at which you'll be dumped after logging out.
$SECdumpurl = "http://www.ThePageToGoTo.com/";

 

then later in that page, we have this:

//***************************************************************************//

// Log out user.

//***************************************************************************//

//

if ($_REQUEST['SEClogout']==1) {

  $_SESSION = array(); // delete all session vars

  header("Location: $SECdumpurl");

}

[revraz]

Could always clear the $_POST array upon logout too.

[Grant Holmes]

Revraz... (Newbie here) not so much that I'm new to PHP, as I AM, but I'm always more on the "creative" side and get stuck occasionally fixing stuff I probably shouldn't be allowed to see. 

 

That's to say, How would I do that??? Can I do that within that code snippet above?

[revraz]

This would probably be easier, assuming you have session_start(); already at the top of the page where this is

 

//***************************************************************************//

// Log out user.

//***************************************************************************//

//

if ($_REQUEST['SEClogout']==1) {

  session_destroy();
  header("Location: $SECdumpurl");

}

[tinker]

whether the session is destroyed or the page redirected, if I was to use the history list and jump back to appropriate page and send it off i'd still get in. However this is only really an issue in a public (cafe / work / uni) place, but if you close down the browser (with clear history option enabled) then your good to go...

[redarrow]

also if that dont work use unset() function to unset the session's........

[redarrow]

also if that dont work use unset() function to unset the session's........

 

example

if ($_REQUEST['SEClogout']==1) {

session_destroy();
unset($password);
unset($username);
header("Location: $SECdumpurl");

}
?>

[Grant Holmes]

That stuff seems to defeat IE pretty easily, but FFox is still able to "go back" and reload the page. Here's what I have now:

// Log out user.
//***************************************************************************//
//

if ($_REQUEST['SEClogout']==1) {

session_destroy();
unset($password);
unset($username);

  header("Location: $SECdumpurl");

}

 

When in FireFox, I can still use my browser to GO BACK, I okay the postdata warning and the "secure" page still loads

 

[redarrow]

trie that

<?php

/* set the cache limiter to 'private' */

session_cache_limiter('private');
$cache_limiter = session_cache_limiter();

/* set the cache expire to 1 minutes */
session_cache_expire(1);
$cache_expire = session_cache_expire();

/* start the session */

session_start();

if ($_REQUEST['SEClogout']==1) {

session_destroy();


  header("Location: $SECdumpurl");

}
?>

 

[Grant Holmes]

As I attempt to implement your solution, can you tell me what the CACHE limiter does? Is that a time out? Like after one minute of not being used it requires log in again?

[Grant Holmes]

BTW, this is what my session_start is at the moment...

//***************************************************************************//
$SECactive = true;
session_start();
//***************************************************************************//

 

I assume the first couple lines of your solution would replace my second actual "session_start():" line

[redarrow]

session_cache_expire() returns the current setting of session.cache_expire.

 

The cache expire is reset to the default value of 180 stored in session.cache_limiter at request startup time. Thus, you need to call session_cache_expire() for every request (and before session_start() is called).

 

 

url

http://uk3.php.net/manual/en/function.session-cache-expire.php

[Grant Holmes]

I'll look at that link. Thanks. The bad news is that I'm still able to "go back" and see the secure page after hitting logout.