Warning Page Has Expired?

Anon

Yes Im new and my techniques are probably in doubt, please advise me.

I Have a login page. When they successfully login session variables are created. The login page then shows an include greeting them and showing links. When they click on the links and move around they are in the session. When they hit logout they are again at the login page.

When I hit backspace and back up through the pages of the links the session variables are empty so the page does not show. When they back up all the way to the log in page they get the "Warning Page has expired". Refreshing this page amazingly apparently relogs them in even though all the session variables should be destroyed. Its like the login page is keeping the variables.

What am I doing wrong? How do you deal with the "Warning Page has expired" crap? Please clue me in. Im gonna include my login code here and you all can tell me how less than perfect it is. Thanks You.

<?
include("hold/sess.php");
print $loggedin;
print "here";
print $usr;
print $pswd;
?>

<head>
<title>Coleman Cable InfoXpress Login</title>
</head>
<body><center>

<?
require("hold/topbar2.htm");

if (!isset($usr)&&!isset($pswd)&&($loggedin!='y')){
//user needs to enter name password
?>

<h3>Please enter Username and Password to Log in to InfoXpress</h3>
<? print "<form action=\"$PHP_SELF\" method=\"POST\">\n";
//<form method=post action="index.php">?>

<p><strong> Username:</strong><br>
<input type="text" name="usr" size=12 maxlength=12></p>
<p><strong> Password:</strong><br>
<input type="text" name="pswd" size=12 maxlength=12></p>
<p><input type="SUBMIT" name="submit" Value="Log In"></p>
</form>

<?
}
else
{
// connect to db
include ("hold/db.inc");

// query user file for match
$query = "select * from col_user where u_uname='$usr' and u_pswd='$pswd'";

$result = mysql_query( $query );
if(!$result)
{
echo "Query failed";
exit;
}

$num_rows = mysql_num_rows( $result );
// must be found and usr and password can not be blank
if (($num_rows > 0))
{
// user password correct
// register session variables
//include("hold/regsess.php");
$myrow = mysql_fetch_array($result);
$repname = $myrow["u_repname"];
$repnum = $myrow["u_repnum"];
$reptype = $myrow["u_reptype"];
// indicate successfully logged in

$loggedin = 'y';
$usr = '';
$pswd = '';
$result = '';

echo "<br>";
include("nav/navbar.htm");
echo "<br>";echo "<br>";
echo "Access Granted!";
echo "<br>";echo "<br>";
echo "Welcome $repname";

}
else
{
echo "<br>";echo "<br>";
echo "Login Has Not Found A Match; Entry Rejected";

}
}
?>

</center>
</body>

mithril

Lemme guess... IE right? IE always gives that warning if you use the back button to return to a page which is the result of submitting the form. Unlike Netscape and Mozilla, IE doesn't automatically re-submit the posted data. Don't ask me why, it just doesn't🙂 Thus, there really isn't much you can do about it besides just living with it. HTH.

Geoff A. Virgo

Anon

Thanks for the response. So does this really mean that you can never completely log someone off totally?

Is there a way to shut down the browser when the user logs off?

mithril

TomG,

Assuming that everything else is working properly, your user is properly logged out since the session variable has been destroyed.

Basically what's happening is that IE, unlike Netscape and Mozilla, doesn't cache pages that are displayed as the result of form submissions, rather it caches the data that was submitted. Thus when you back button into the results of the login screen IE requests you resubmit the form used the variable data it has cached. In this case it is having the same effect as a new login and creates a new session. You may be able to find a work around to this using JavaScript, but I've not found a way to do it using PHP or HTML. I just look at it as one of the ruddy annoying things that IE does, shrug, and ignore it since I can't really do much about it. Besides, even if I leave with an active session, session management will eventually clean up the mess. Unless you've modifed the default, the session cookie will be deleted at the end of my browser session and the session file on the server will be removed by the garbage collector after 1440 seconds (again, the default).

Now, shutting down the browser at logoff, 2 points:

1) as a general rule of thumb I'd say don't do it

I'd be kinda annoyed if I had my browser closed for me. Sorta the same thing as if you poped up a couple extra advertising windows. You might be able to get away with it in an intranet environment, but even there you're probably going to annoy more people than it's worth.

2) be carefull of how much you rely on client-side scripting for application critical events like session management and data validation as it puts to much application logic control in the hands of your user

If you do want/need to go the browser shutdown route, you'll need to use JavaScript to do it. PHP doesn't know, and doesn't care, about the client browser beyond the info that's sent during the HTTP-Request. As a result, PHP can't control anything on the client machine. Also, you'll still need to figure out another way to make sure I don't re-initialize my session in case I have JavaScript disabled in my browser (which I often do). HTH.

Geoff A. Virgo

Anon

Thanks again I appreciate the input.

Ok I guess Ill deal with it. So is it fair to say PHP alone should not be used to have an absolutely secure web application.

mithril

The statement about PHP and absolutely secure app's is true, to a point, but it also applies to every scripting language. There are all sorts of considerations that must go into building a secure app, and the underlying code logic is merely one of them (albeit a pretty important one🙂.

However, the problem with IE forcing you to reload form submission generated pages isn't really a security problem as long as the original form submission is secure. After all, really all you're doing when IE forces you to reload the form is re-submitting the form using variable data stored in IE's cache. It's essentially the same as the the initial login process. As long as you're not storing things like unencrypted passwords in your session data you're pretty safe.

For info on encryption, check out the mcrypt functions in the manual (mcrypt is not supported on Win32) and the md5() function. The md5() functionality is supported on both *Nix and Win32, and a good example of how to encrypt/decrypt md5 hashes using keys is given in the user contributed notes.

HTH.

geoff