November 4th, 2003, 03:39 AM
|
|
Junior Member
|
|
Join Date: Oct 2003
Posts: 6
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
how to make a safe logout?
Hello everyone,
some time ago I found this Login-script on devarticles. If is supposed to be pretty safe, however: I do have some problems on loginout! Logout on a "stand-alone" pc works well, but login out on a pc that's part of a network in a company, it's still possible to go back to the secure pages by using the browsers back-button. So, my question: is anyone among you able and willing to give me a hint of even (preferebly) the best/safest way to logout from these secured-pages?
On top of every page I write this:
PHP Code:
<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
?>
<?PHP require('incSession.php'); ?>
This is what the logout-script looks like at the moment:
PHP Code:
<?php
setcookie('session_id', '');
?>
The login system is like this:
login.php:
PHP Code:
<?php
<div align="center">
<form action="LoginAction.php" method="Post">
Email Address:<br />
<input type="Text" name="psEmail" />
<br />
Password:<br />
<input type="password" name="psPassword" />
<br />
<input type="submit" value="Login" />
<input type="hidden" name="psRefer" value="<? echo($refer) ?>"
</form>
</div>
?>
LoginAction:
PHP Code:
<?php
// Controleren of alle info is ingevuld in de login
if($psEmail == '' || $psPassword == '') {
// geen login info
header('Location: index.php?refer='.urlencode($psRefer));
} else {
// authenticeren user
include("connect.php");
$sQuery = "
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";
$hResult = mysql_query($sQuery, $hDB);
if(mysql_num_rows($hResult)) {
$aResult = mysql_fetch_row($hResult);
//User-record updaten
$sQuery = "
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = $aResult[0]";
mysql_query($sQuery, $hDB);
// Cookie plaatsen en redirect
setcookie("session_id", $aResult[1]);
if(!$psRefer) $psRefer = 'manager.php';
header('Location: '.$psRefer);
} else {
// Hé, geen authenticatie
header('Location: index.php?refer='.urlencode($psRefer));
}
}
?>
IncSession.php is like this:
PHP Code:
<?php
// check if a cookie exists:
if(!isset($HTTP_COOKIE_VARS['session_id'])) {
header('Location: index.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SE RVER_VARS['QUERY_STRING']));
}
// kijken of dit in de database ook staat
$sGUID = $HTTP_COOKIE_VARS['session_id'];
include("connect.php");
$sQuery = "
Select iUser
From tblUsers
Where sGUID = '$sGUID'";
$hResult = mysql_query($sQuery, $hDB);
if(!mysql_num_rows($hResult)) {
// Geen "match" voor Guid gevonden
header('Location: index.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SE RVER_VARS['QUERY_STRING']));
}
?>
This is how I create the database-table:
Code:
CREATE TABLE tblUsers (
iUser int(10) unsigned NOT NULL auto_increment,
sEmail varchar(255) NOT NULL,
sPassword varchar(255) NOT NULL,
sGUID varchar(32),
sData text,
PRIMARY KEY (iUser)
) TYPE=MyISAM;
Hoping to hear from one of you soon, since I'm thinking about this for so long now......
Greetings Joost 
|
Dev Articles Community Forums Sponsor:
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
