S.P.I.
July 11th, 2010, 11:15 AM
Hi there,
I have been working on an administrative system for an intranet based application the past few weeks. This is my first such effort and it has made me realize the intricacies of security management.
Anyway, my basic authentication service depends on sessions- the username and password (encrptyed) are cross checked with the ones stored in the database and if there is a match a certain session variable is flagged as true and the user proceeds.
On each page I have a line of php that checks whether the session is still active, depending on the result the user is either allowed to proceed or he is redirected to the login page.
The technique works fine as long as the content I am viewing is fresh. But if I log out, and try hitting the back button the security check gets bypassed for some reason and the page that requires authentication is viewable. But upon hitting refresh the user is redirected back to the login page as the browser realizes the session variable is dead.
I figured the problem could be resolved by denying storage in the cache and re validating the page each time it was visited- I used the following lines of code to fix the bug:
<?php
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
?>
I am not sure if its the right way to go though. Any thoughts?
I have been working on an administrative system for an intranet based application the past few weeks. This is my first such effort and it has made me realize the intricacies of security management.
Anyway, my basic authentication service depends on sessions- the username and password (encrptyed) are cross checked with the ones stored in the database and if there is a match a certain session variable is flagged as true and the user proceeds.
On each page I have a line of php that checks whether the session is still active, depending on the result the user is either allowed to proceed or he is redirected to the login page.
The technique works fine as long as the content I am viewing is fresh. But if I log out, and try hitting the back button the security check gets bypassed for some reason and the page that requires authentication is viewable. But upon hitting refresh the user is redirected back to the login page as the browser realizes the session variable is dead.
I figured the problem could be resolved by denying storage in the cache and re validating the page each time it was visited- I used the following lines of code to fix the bug:
<?php
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
?>
I am not sure if its the right way to go though. Any thoughts?