[SOLVED] User-Pass showing in URL

[tinker]

Your browser stores the POST information, I bet if you go back even the form fields are still filled in! Different issue, only way around is to generate an id when you generate every page and then only allow that id to be processed once, but if you say https is too much then this protocol will be for sure!

This isn't a session issue, because upon re-logging in a new session can be generated, the only way I can think is by using a page generation id. This is similar to the concept of captcha generation (but without the image), and can only be used once... I use something similar to generate a public key when generating a login page, but I might add this bit too.

[Grant Holmes]

So, what I hear you guys saying is that without somewhat significant other changes, I'm stuck where I'm at?

 

My PHP skills do not allow me do accomplish extending beyond what I learn in forums like this.

 

Thanks for your help, all. When i get some development $$, maybe I can have a "pro" look at this further. Unless you guys have other intellegence for me, I'll call the original issue "solved" and let this go.

[Ken2k7]

Not sure if this works, but...

 

Okay, so here are 2 pages:

 

1. The member page (where you have to be logged in to see)

2. Logout page (logs you out)

 

2 things I could do:

 

1. use cookies to store a session

2. use session to store a session

 

Once the member logs in, create a session using one of those. Then on the member page, call an if statement to check if the cookie/session is set and if it's a valid session number. If so, display the page. Otherwise error.

 

Once logged out, delete the cookie/session.

[Stooney]

Try this

 

if ($_REQUEST['SEClogout']==1) {

session_destroy();
unset($_POST['SECloginusername']);
unset($_POST['SECloginpassword']);
header("Location: $SECdumpurl");

}
?>

[Grant Holmes]

I guess this works, and yet it doesn't..... When I do a "go back" I get the post data warning and the page displays like it did, HOWEVER... if I use any link on that page, I DO go to the log in page- IOW, I cannot access other data without logging back in.

 

Before (who knows when) I could'a sworn that it went directly to the Log in page and did NOT display the previous data. I guess this IS progress!

[revraz]

You could try and rework the page(s) if you POST to itself, to POST to another page instead.  And what are the values of the FORM fields?

 

But one would think if they were authorized to get in the first time, is it a big deal if they get in again in the same session?

[Grant Holmes]

For any authorized user, no, its no big deal. My brother just had his laptop stolen and if this site was on his PC, anybody could've just gotten into history and jumped in (we have that part fixed), or in the case of this script, there are two levels Admin and User. If admin just logged out and someone hit "Back" they'd be into other information.

 

Really not a HUGE deal, just trying to make it appear more professional overall.

 

I POST to their main URL, I may try POSTing to the log in page, but with the current behavior, I can't imagine it acting differently.

[revraz]

Once the session expired, you can't get in even with the History, if you are using sessions as the variables and not cookies.

[revraz]

Unless your session timeout in your php.ini file is set for a real long time.

 

*Sorry, they changed the edit timeout to 2 mins, so had to make a new post.

[Grant Holmes]

I didn't see the edit. I'd asked in there somewhere what that number does. I read the post link, but was pretty much Greek to me. What does it do?

 

Not using cookies. I'm pretty sure we're using the variables.