Jump to content

Recommended Posts

Your browser stores the POST information, I bet if you go back even the form fields are still filled in! Different issue, only way around is to generate an id when you generate every page and then only allow that id to be processed once, but if you say https is too much then this protocol will be for sure!

This isn't a session issue, because upon re-logging in a new session can be generated, the only way I can think is by using a page generation id. This is similar to the concept of captcha generation (but without the image), and can only be used once... I use something similar to generate a public key when generating a login page, but I might add this bit too.

So, what I hear you guys saying is that without somewhat significant other changes, I'm stuck where I'm at?

 

My PHP skills do not allow me do accomplish extending beyond what I learn in forums like this.

 

Thanks for your help, all. When i get some development $$, maybe I can have a "pro" look at this further. Unless you guys have other intellegence for me, I'll call the original issue "solved" and let this go.

Not sure if this works, but...

 

Okay, so here are 2 pages:

 

1. The member page (where you have to be logged in to see)

2. Logout page (logs you out)

 

2 things I could do:

 

1. use cookies to store a session

2. use session to store a session

 

Once the member logs in, create a session using one of those. Then on the member page, call an if statement to check if the cookie/session is set and if it's a valid session number. If so, display the page. Otherwise error.

 

Once logged out, delete the cookie/session.

I guess this works, and yet it doesn't..... When I do a "go back" I get the post data warning and the page displays like it did, HOWEVER... if I use any link on that page, I DO go to the log in page- IOW, I cannot access other data without logging back in.

 

Before (who knows when) I could'a sworn that it went directly to the Log in page and did NOT display the previous data. I guess this IS progress!

You could try and rework the page(s) if you POST to itself, to POST to another page instead.  And what are the values of the FORM fields?

 

But one would think if they were authorized to get in the first time, is it a big deal if they get in again in the same session?

For any authorized user, no, its no big deal. My brother just had his laptop stolen and if this site was on his PC, anybody could've just gotten into history and jumped in (we have that part fixed), or in the case of this script, there are two levels Admin and User. If admin just logged out and someone hit "Back" they'd be into other information.

 

Really not a HUGE deal, just trying to make it appear more professional overall.

 

I POST to their main URL, I may try POSTing to the log in page, but with the current behavior, I can't imagine it acting differently.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.