tinker Posted January 14, 2008 Share Posted January 14, 2008 Your browser stores the POST information, I bet if you go back even the form fields are still filled in! Different issue, only way around is to generate an id when you generate every page and then only allow that id to be processed once, but if you say https is too much then this protocol will be for sure! This isn't a session issue, because upon re-logging in a new session can be generated, the only way I can think is by using a page generation id. This is similar to the concept of captcha generation (but without the image), and can only be used once... I use something similar to generate a public key when generating a login page, but I might add this bit too. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438934 Share on other sites More sharing options...
Grant Holmes Posted January 14, 2008 Author Share Posted January 14, 2008 So, what I hear you guys saying is that without somewhat significant other changes, I'm stuck where I'm at? My PHP skills do not allow me do accomplish extending beyond what I learn in forums like this. Thanks for your help, all. When i get some development $$, maybe I can have a "pro" look at this further. Unless you guys have other intellegence for me, I'll call the original issue "solved" and let this go. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438939 Share on other sites More sharing options...
Ken2k7 Posted January 14, 2008 Share Posted January 14, 2008 Not sure if this works, but... Okay, so here are 2 pages: 1. The member page (where you have to be logged in to see) 2. Logout page (logs you out) 2 things I could do: 1. use cookies to store a session 2. use session to store a session Once the member logs in, create a session using one of those. Then on the member page, call an if statement to check if the cookie/session is set and if it's a valid session number. If so, display the page. Otherwise error. Once logged out, delete the cookie/session. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438949 Share on other sites More sharing options...
Stooney Posted January 14, 2008 Share Posted January 14, 2008 Try this if ($_REQUEST['SEClogout']==1) { session_destroy(); unset($_POST['SECloginusername']); unset($_POST['SECloginpassword']); header("Location: $SECdumpurl"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438958 Share on other sites More sharing options...
Grant Holmes Posted January 14, 2008 Author Share Posted January 14, 2008 I guess this works, and yet it doesn't..... When I do a "go back" I get the post data warning and the page displays like it did, HOWEVER... if I use any link on that page, I DO go to the log in page- IOW, I cannot access other data without logging back in. Before (who knows when) I could'a sworn that it went directly to the Log in page and did NOT display the previous data. I guess this IS progress! Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438972 Share on other sites More sharing options...
revraz Posted January 14, 2008 Share Posted January 14, 2008 You could try and rework the page(s) if you POST to itself, to POST to another page instead. And what are the values of the FORM fields? But one would think if they were authorized to get in the first time, is it a big deal if they get in again in the same session? Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438979 Share on other sites More sharing options...
Grant Holmes Posted January 14, 2008 Author Share Posted January 14, 2008 For any authorized user, no, its no big deal. My brother just had his laptop stolen and if this site was on his PC, anybody could've just gotten into history and jumped in (we have that part fixed), or in the case of this script, there are two levels Admin and User. If admin just logged out and someone hit "Back" they'd be into other information. Really not a HUGE deal, just trying to make it appear more professional overall. I POST to their main URL, I may try POSTing to the log in page, but with the current behavior, I can't imagine it acting differently. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438986 Share on other sites More sharing options...
revraz Posted January 14, 2008 Share Posted January 14, 2008 Once the session expired, you can't get in even with the History, if you are using sessions as the variables and not cookies. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438988 Share on other sites More sharing options...
revraz Posted January 14, 2008 Share Posted January 14, 2008 Unless your session timeout in your php.ini file is set for a real long time. *Sorry, they changed the edit timeout to 2 mins, so had to make a new post. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-438990 Share on other sites More sharing options...
Grant Holmes Posted January 14, 2008 Author Share Posted January 14, 2008 I didn't see the edit. I'd asked in there somewhere what that number does. I read the post link, but was pretty much Greek to me. What does it do? Not using cookies. I'm pretty sure we're using the variables. Quote Link to comment https://forums.phpfreaks.com/topic/85954-solved-user-pass-showing-in-url/page/2/#findComment-439006 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.