Dear all,
I recently implemented an user authentication mechanism on a web site for only allowing members to view the secure contents. The authentication mechanism itself works great.
However I found a problem in it. When I log out from the secure contents (a button for logging out is placed there), if I hit the Back Button, the browser (IE6) asks me if I want to resend the cached info and if I hit yes, the browser resends the Form data, in this case, the "previously input User ID and Password", and I am logged in again and the secure contents are showing again!
I don't want this to happen. Suppose I just logged out from the secure contents session, the browser returned to the log in screen. I left the computer and another user came and hit the Back button and he would see all my secure contents!
The codes are as follows:
<?php
[COLOR=DarkOrange]// start session if not already started[/COLOR]
session_start();
[COLOR=DarkOrange]// check to see if user just logged out by hitting the logout button[/COLOR]
$logout = $_POST['FormLogout']; [COLOR=DarkOrange]// a hidden Form field with value of 1 returned by the logout button[/COLOR]
if ($logout) {
session_unregister("valid_user");
session_unset();
session_destroy();
session_start();
}
function write_login($mesg) {
echo $mesg;
echo " <FORM name=\"FormLogin\" action=\"\" method=\"post\">";
echo " User ID:";
echo " <INPUT type=\"text\" name=\"FormUser\">";
echo " Password:";
echo " <INPUT type=\"password\" name=\"FormPassword\">";
echo " <INPUT type=\"submit\" value=\"Login\">";
echo " </FORM>";
} [COLOR=DarkOrange]// end write_login function[/COLOR]
function verify() {
[COLOR=DarkOrange]// check to see if userid and password are valid[/COLOR]
$userid = $_POST['FormUser'];
$password = $_POST['FormPassword'];
if ($userid && $password) { [COLOR=DarkOrange]// if both User ID and Password have been input[/COLOR]
$db = mysql_connect("localhost", "guest", "guestpass")
mysql_select_db("mydb")
$query = "SELECT USERID FROM authen_table WHERE USERID='$userid' AND PASSWORD='$password'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 1) {
[COLOR=DarkOrange]// register session variable and exit the verify function[/COLOR]
$valid_user = $userid;
$_SESSION['valid_user'] = $valid_user;
return true;
}
else {
[COLOR=DarkOrange]// bad userid and password[/COLOR]
$mesg = "Access denied: User ID and Password did not match";
write_login($mesg);
}
mysql_close($db);
}
else { [COLOR=DarkOrange]// if both User ID and Password have NOT been input[/COLOR]
$mesg = "Please login with User ID and Password";
write_login($mesg);
}
} [COLOR=DarkOrange]// end verify function[/COLOR]
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE>Private Contents</TITLE>
</HEAD>
<BODY>
<?php
if (verify()) { [B][COLOR=Red]// If userid and password are valid, display the Secure Contents[/COLOR][/B]
[COLOR=DarkOrange]// Place a button here for logging out from the Secure Contents[/COLOR]
echo " <FORM action=\"\" method=\"post\">";
echo " <INPUT type=\"submit\" value=\"Logout\">";
echo " <INPUT type=\"hidden\" name=\"FormLogout\" value=\"1\">";
echo " </FORM>";
echo " <P>This is some secure contents. Please logout after finished viewing</P>";
echo " <P>Secure: Blah Blah Blah.</P>";
echo " <P>Secure: Blah Blah Blah.</P>";
echo " <P>Secure: Blah Blah Blah.</P>";
}
?>
</BODY>
</HTML>
I did some research and have tried the PHP header() approach to send the no cache html headers. Something like this:
header("ETag: PUB" . time());
header("Last-Modified: " . gmdate("D, d M Y H:i:s", time()-10) . " GMT");
header("Expires: " . gmdate("D, d M Y H:i:s", time() + 5) . " GMT");
header("Pragma: no-cache");
header("Cache-Control: max-age=1, s-maxage=1, no-cache, must-revalidate");
session_cache_limiter("nocache");
But still, the problem is not resolved. I am not sure of what I am missing here.
I am new to PHP. Please kindly help solving the issue. Comments and suggestions are most welcome.
Thanks in advance.
Frustrated 😕 ,
EnVoid