Security problem in login script when using back button

gasmaster · Jun 6, 2008

I'm just starting with PHP and thought I had it under control until I struck this issue.

The login system works as intended. I enter a username and password and use session variables to keep track of the login. I logout by unsetting by session variable and calling session_destroy(). This is fine until I start using the back button and find all of the pages that I should no longer be able to see. I solved this by adding the tag <meta http-equiv="cache-control" content="no-cache"> which seemed to fix the problem until I go back to the page immediately after I logged in. If I reload this page it asks if I want to resend post variable and hey presto I'm logged back in.

I would have thought that this would have been a fairly well described problem but i can't find anything about it. Have I solved the first problem in the right way? What is the answer to the second problem. I hope someone can help me.

Thanks

tbobker · Jun 6, 2008

Are you logging out on the same page (calling itself). I always have one page for logout, Call

session_unset();
session_destroy();
header("location: another page.php");

I use the header function to redirect away from this page. Should work.

I also never call the same php page when logging in - i have a page for the login form and a page to process the login which in turn redirects to another page.

Can you be more specific as to what is actually happening:

gasmaster · Jun 6, 2008

Thanks for your reply.

Yes, I am using the same page to log in and out. What I am doing is having every page in my site call session_start(), connect to mysql and then call a function I have called checklogin, passing it a reference to the database connection object.

Here is my checklogin function

function checklogin(&$dbconn)
{
	//checks whether there is a user currently logged in.
	//If a valid user is not logged in or session has expired, displays empty page with login prompt.


if (isset($_SESSION['valid_user']))		//check if there is a user already logged in
{
	if (isset($_POST['logout']))    //logout has been selected
	{
		unset($_SESSION['valid_user']);
		unset($_SESSION['timeout']);
		session_destroy();
		$page = new Page;
		$page->content = "<h3>Thankyou for using mysite</h3>";
		$page->login = generatelogin();
		$page->Display();
		$dbconn->close();
		exit;
	}
	if (time() < $_SESSION['timeout'] + TIMEOUT*60)		//make sure they haven't timed out
	{		
		$_SESSION['timeout'] = time();			//login is OK so reset timeout timer and return userid
		return getuserid($dbconn);
	}
	$page = new Page;		//login has expired so notify and display appropriate page
	unset($_SESSION['valid_user']);
	$page->content = '<h3>Your login has expired. Please log in again.<h3>';
	$page->login = generatelogin();
	$page->Display();
	$dbconn->close();
	exit;
}

if (isset($_POST['username']))		//there is no user logged in so check whether page was loaded by clicking login prompt
{
	$username = trim($_POST['username']);
	$password = $_POST['password'];

	if (!$username)
	{				//no username entered
		$page = new Page;
		$page->content = '<h3>You did not enter a username</h3>';
		$page->login = generatelogin();
		$page->Display();
		$dbconn->close();
		exit;
	}

	if (!$password)
	{				//no password entered
		$page = new Page;
		$page->content = '<h3>You did not enter a password</h3>';
		$page->login = generatelogin();
		$page->Display();
		$dbconn->close();
		exit;
	}

	$query = 'select * from users where username = "'.$username.'"';	//get password from database
	$result = $dbconn->query($query);

	if ($result->num_rows == 0)
	{				
		$page = new Page;		//no return from database therefore username does not exist
		$page->content = '<h3>Unknown username. Try again</h3>';
		$page->login = generatelogin();
		$page->Display();
		$dbconn->close();
		exit;
	}

	$userarray = $result->fetch_assoc();

	if ($userarray['password'] != sha1($password))
	{
		$page = new Page;		//password does not match
		$page->content = '<h3>Incorrect password. Try again</h3>';
		$page->login = generatelogin();
		$page->Display();
		$dbconn->close();
		exit;
	}
	else
	{
		$_SESSION['valid_user'] = $username;			//Yay! successful login
		$_SESSION['timeout'] = time();
		return $userarray['userid'];					//return userid from user table
	}
}

If there is a problem with the login the function generates a page with an error message and a login panel at the top. If the login validates, the function sets the relevant session variable and returns the $userid value of the logged in user. The page that called the function will then generate a page with a logout panel replacing the login panel. The login or logout button always calls the same page that it came from (i.e. if the current page is anywhere.php the link will be to anywhere.php). I'm not sure how having a separate logout page with a redirect will prevent people from going back to the page after login and resending the POST variables. Can anyone help me understand this further?

Thanks again.

Security problem in login script when using back button

Ggasmaster

Ttbobker

Ggasmaster