Now Place:2uzhan.com » Reposting of username/password

Reposting of username/password

PHP @ December 6, 2008   Views:0


I am trying to develop an authentication based application using LiveUser.
(The login page provides the user name and password and the LiveUser processes it to
determine if the user is to be logged in or not.)

The problem I am facing happens with the following sequence of steps:
After the login followed by log out, when the user presses browser's Back button,
the browser reaches the page that was presented after the login, and asks if the POST data
should be submitted again.

Because of this, a malicious user can log into the system with previous user's account
if the previous user had forgotten to close the browser. (Imagine if it is an Internet Cafe or
Computer Center in a University).

At the time of logout, the session information is destroyed and cookie is not remembered at
the server (LiveUser settings).

As I understand, this behaviour needs to be controlled at the Browser.

Kindly help me out by throwing some light on this, and answering these:

1. How does one keep the browser from re-posting the username / password information when
Browser's Back button is used?
2. Is there any support for this in LiveUser itself?
3. What is the best solution for this problem?



I do not know liveuser. If it is an issue, I would suggest adding a random var to the form, which is also stored in a session. When the user submits, the random var is removed from the session, and subsequent submits are not valid.

© 2018 2uzhan.com Contact