Problem with a session

Re: Problem with a session

Nacho wrote:
[color=blue]
> Hello people[/color]

Hi Nacho,
[color=blue]
>
> I have the following problem
>
> I have a private area in my site.
> The user enters the username and password, then clicks "enter" and the
> session is created and also a session variable is created and set to
> true.
> Every page of the private area, checks whether this session variable is
> set to true and then if so, it gives you access, otherwise it redirects
> to a noaccess page.
> The user moves arround the private area, do whatever he/she has to do
> and then logs out. Then the session is destroyed and the session
> variable also.[/color]

So far ok.
[color=blue]
>
> Now if the user clicks the back button of the explorer, is redirected
> to a noaccess page, fine, and so on as long as the user navigates back
> in the session, but when the user gets to the log on page, it recovers
> the POSTDATA and sets againg the session variable to true and anyone
> can see then the private area.[/color]

???
I am not sure what you are describing.
If a validated user uses the BACK button (The button that creates the most
headaches for serversideprogr ammers), he is probably viewing cached pages.
If you disabled caching, maybe the browser makes a fresh request.

Now, if I have a var in my session like this:
$_SESSION["isAuthenticate d"] = "Y";
it will remain in the session untill YOU remove it, or the session ends.
The BACK-button has little to do with that.

Be sure you know what is going on.

Try this for debugging:
Start all your pages you are investigating with:
<pre>
<? pring_r($_SESSI ON) ?>
</pre>

(after body-tag)

Now with this small addition you can easily see what session-data is on
which page.

Great way to debug.
If you have a life-site and do not want to spit out geeky information into
your visitors face, just put HMTL-commenttags around it, and use the
view-source to view the data.
[color=blue]
>
> I have set the page not to be cached, but it does not work,.....[/color]

How?
In the browser or with extra headerinformati on?

[color=blue]
>
> Does anyonw how to solve this problem??
>[/color]

Soon you can yourself if you use the print_r debugging option. :-)

Regards,
Erwin Moller
[color=blue]
> Thanks[/color]

[typocorrection]Re: Problem with a session

Erwin Moller wrote:


[color=blue]
> Try this for debugging:
> Start all your pages you are investigating with:
> <pre>
> <? pring_r($_SESSI ON) ?>[/color]

That should be:
<? print_r($_SESSI ON) ?>
[color=blue]
> </pre>[/color]


Regards,
Erwin Moller

Re: Problem with a session

Hi Erwin

First, thanks for reply
My english is not so good...

Anyway, lets take it from

[color=blue]
> Now if the user clicks the back button of the explorer, is[/color]
redirected[color=blue]
> to a noaccess page, fine, and so on as long as the user navigates[/color]
back[color=blue]
> in the session, but when the user gets to the log on page, it recovers
> the POSTDATA and sets againg the session variable to true and anyone
> can see then the private area.[/color]

I will try to put a real example:
Lets say that you are the user and you have been doing stuff in the
private area, then after a while, you log off. Then the session is
destroyed and also all its variables. Then you leave the internet-cafe
but you dont close the Browser. Somebody else comes and start clicking
on the back button; he/she gets redirected to a "non-access" page
because there is no session anymore thus no session variable. BUT when
he/she gets to the log on page (after having clicked x times).......th e
script gets executed again and the session is started and the value
from $password is taken from the Cache (from logonHTML.htl page) and
sucess the logon.

I think I shoul have set as not cached (using headers) the
logonHTML.php page whichi is the one that has the password textbox, I
just realised now, but I can not try until I get home...

This is more or less the code of these pages

logon.php *************** *************** *************** ***************

session start

//here I set the page not to be cached


header();

if(isset($passw ord) //name of the textbox
{
if(password is OK)
{
$_SESSION["isAuthenticate d"] = "Y";
echo 'log on is successfull';
menu();
}
else
{
//log on form
imports(logonHT ML.html);
fotter();
exit();
}
}

//log on form
imports(logonHT ML.html);
fotter();



logon.php *************** *************** *************** ***************


ogonHTML.php
*************** *************** *************** ***************

<form>
password textbox
input button( action="")
</form>

ogonHTML.php
*************** *************** *************** ***************


Thanks anyway and I hope no to confuse you!!

Re: Problem with a session

Nacho wrote:
[color=blue]
> Hi Erwin[/color]

Hi Nacho,
[color=blue]
>
> First, thanks for reply
> My english is not so good...[/color]

It is not bad either.
I can easily understand. :-)
Your first posting was a bit vague, but now I understand your problem.
[color=blue]
>
> Anyway, lets take it from
>
>[color=green]
> > Now if the user clicks the back button of the explorer, is[/color]
> redirected[color=green]
> > to a noaccess page, fine, and so on as long as the user navigates[/color]
> back[color=green]
>> in the session, but when the user gets to the log on page, it recovers
>> the POSTDATA and sets againg the session variable to true and anyone
>> can see then the private area.[/color]
>
> I will try to put a real example:
> Lets say that you are the user and you have been doing stuff in the
> private area, then after a while, you log off. Then the session is
> destroyed and also all its variables. Then you leave the internet-cafe
> but you dont close the Browser. Somebody else comes and start clicking
> on the back button; he/she gets redirected to a "non-access" page
> because there is no session anymore thus no session variable. BUT when
> he/she gets to the log on page (after having clicked x times).......th e
> script gets executed again and the session is started and the value
> from $password is taken from the Cache (from logonHTML.htl page) and
> sucess the logon.[/color]

OK, this is the real problem.
You are afraid a lot of private pages are cached into the browsers memory
that can be retrieved easily by pressing the BACK button.

This IS a real problem, and you cannot 100% solve it.
You can however, try to tell the browser NOT to chache it.
BUT, if the browser has a will of its own, or is simply configured to store
all pages on disk/cache, you have little or no control.

I would suggest that you google a bit around because the problem you
describe is a famous one.

Here is a nice place to start.


Remember however, YOU are not/never going to control the clientbrowser, and
everybody is free to build and release a browser that just ignores your
headers and WILL cache everything it wants untill 2050 and publish them in
a newspaper.
You are not controlling the browser. Period.
Once the browser received a response from the server, it is out of your
hands/control.
A lot of people can come up with tricks (in javascript maybe), but none will
be 100% secure.

So start with looking into the cachingproblem, make the best headers you can
come up with, and keep fingers crossed.

If that is not enough for you, you could add a few hurdles for people so the
simple BACK-button won't work.
One easy way is using AJAX to fill the page.
If somebody hits BACK, at least the page will be empty, because your
AJAX-scripts are configured to only respond if a valid session is found.
(Don't be afraid of AJAX, it is extremely simple. If you are interested,
this is a nice place to start: www.w3schools.com/ajax)

If security is a real concern of you, you might also want to look in the
secure sister of http, named https.
At least it transmits the data scrambled over the internet.

One last word on this: If you just want to block simple back-button access,
try one of the above suggestion. If you need real security, call in some
help from an experienced expert. Security is a very complex business.

Good luck.
Regards,
Erwin Moller
[color=blue]
>
> I think I shoul have set as not cached (using headers) the
> logonHTML.php page whichi is the one that has the password textbox, I
> just realised now, but I can not try until I get home...
>
> This is more or less the code of these pages
>
> logon.php *************** *************** *************** ***************
>
> session start
>
> //here I set the page not to be cached
>
>
> header();
>
> if(isset($passw ord) //name of the textbox
> {
> if(password is OK)
> {
> $_SESSION["isAuthenticate d"] = "Y";
> echo 'log on is successfull';
> menu();
> }
> else
> {
> //log on form
> imports(logonHT ML.html);
> fotter();
> exit();
> }
> }
>
> //log on form
> imports(logonHT ML.html);
> fotter();
>
>
>
> logon.php *************** *************** *************** ***************
>
>
> ogonHTML.php
> *************** *************** *************** ***************
>
> <form>
> password textbox
> input button( action="")
> </form>
>
> ogonHTML.php
> *************** *************** *************** ***************
>
>
> Thanks anyway and I hope no to confuse you!![/color]

Re: Problem with a session

Nacho wrote:[color=blue]
> Hi Erwin
> I will try to put a real example:
> Lets say that you are the user and you have been doing stuff in the
> private area, then after a while, you log off. Then the session is
> destroyed and also all its variables. Then you leave the internet-cafe
> but you dont close the Browser. Somebody else comes and start clicking
> on the back button; he/she gets redirected to a "non-access" page
> because there is no session anymore thus no session variable. BUT when
> he/she gets to the log on page (after having clicked x times).......th e
> script gets executed again and the session is started and the value
> from $password is taken from the Cache (from logonHTML.htl page) and
> sucess the logon.
>
> I think I shoul have set as not cached (using headers) the
> logonHTML.php page whichi is the one that has the password textbox, I
> just realised now, but I can not try until I get home...
>
> This is more or less the code of these pages
>
> logon.php *************** *************** *************** ***************
>
> session start
>
> //here I set the page not to be cached
>
>
> header();
>
> if(isset($passw ord) //name of the textbox
> {
> if(password is OK)
> {
> $_SESSION["isAuthenticate d"] = "Y";
> echo 'log on is successfull';
> menu();
> }
> else
> {
> //log on form
> imports(logonHT ML.html);
> fotter();
> exit();
> }
> }
>
> //log on form
> imports(logonHT ML.html);
> fotter();[/color]

A couple of things:

1. Why cache the password? If isAuthenticated == 'Y', then there should
be no need for the password anymore. I can't think of a good reason to
ever move the password into a SESSION (from a POST or GET).

2. Add a timestamp to the login (i.e. $_SESSION['timestamp'] = time() )
and then test for both isAuthenticated and time() -
$_SESSION['timestamp'] < some limit. This causes your SESSION to
invalidate itself after a set period of time. Naturally, a valid user
needs to have the $_SESSION['timestamp'] updated on each page fetch so
that the SESSION will not go stale.

-david-

Re: Problem with a session

Thanks for all the advices. My page does not really requires security
but I want to implement it, and if it works perfect, much better!
I see that the problem I'm facing is tricky, and I will try it to solve
it using the right headers. AJAX will come later!, I'm really looking
forward to use, it is fantastic.

Well, have a good weekend :-)

Nacho

Re: Problem with a session

Thanks, I'm going to try playing with the time also. Tell you later

Ciao

Re: Problem with a session

On Fri, 2006-05-12 at 02:56 -0700, Nacho wrote:[color=blue]
> Hello people
>
> I have the following problem
>
> I have a private area in my site.
> The user enters the username and password, then clicks "enter" and the
> session is created and also a session variable is created and set to
> true.
> Every page of the private area, checks whether this session variable is
> set to true and then if so, it gives you access, otherwise it redirects
> to a noaccess page.
> The user moves arround the private area, do whatever he/she has to do
> and then logs out. Then the session is destroyed and the session
> variable also.
>
> Now if the user clicks the back button of the explorer, is redirected
> to a noaccess page, fine, and so on as long as the user navigates back
> in the session, but when the user gets to the log on page, it recovers
> the POSTDATA and sets againg the session variable to true and anyone
> can see then the private area.
>
> I have set the page not to be cached, but it does not work,.....
>
> Does anyonw how to solve this problem??
>
> Thanks
>[/color]

As for the caching problem, Microsoft recommends using the Expires
header to prevent caching in IE:

<META HTTP-EQUIV="Expires" CONTENT="-1"> or
<?php header('Expires : -1');?>

Remember that you must use the php header tag prior to sending any
output to the browser.

Scott