?
Solved

Session Expiration and Refresh Button Problem

Posted on 2003-02-20
8
Medium Priority
?
1,704 Views
Last Modified: 2010-08-05
Hi all,

I have an HTML login page (form).  Upon successful login, my perl script generates a session ID, which I embed in all the URL links.  When the user logs out, I remove the session id from the session database.  However, if I click the "Back" button, I get this error message: "The page cannot be refreshed without resending the information.  Click Retry to send the information again, or click Cancel to return to the page that you were trying to view."  When I click "Retry," the login information in the HTML form is resent to the web server.  This is a big security hole.  How do I disable this?  I am very new to web programming, so I'm not sure what kinds of options I have.  Any pointers would be greatly appreciated.  Thanks for your time.

Monica
0
Comment
Question by:Monica2003
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
8 Comments
 
LVL 3

Expert Comment

by:AmericanDogma
ID: 7991496
You cant disable that feature. What it is doing is actually resubmitting all the form information.

What you need to to is check you code. You should expire the session Id (or issue a new id) as soon as the logoff button is hit and delete the session form the DB. Therfore no matter what the user will have to relogin
0
 

Author Comment

by:Monica2003
ID: 7996463
When the user hits the logoff button, I do remove the session id from the session database.  However, when the user clicks the "back" button, the login form is re-sent.  When my perl script receives this login form, it generates a session id.  The script doesn't know if the login information came from the browser resending the form information or if this is a new login.  This is a big security hole because the user doesn't have to provide username/password.  I don't know how to fix this...  Please help!

Thanks,
Monica
0
 
LVL 3

Accepted Solution

by:
AmericanDogma earned 200 total points
ID: 7997072
put your login action and logoff action in seperate pages. once the user logoffs make sure they are sent to a standard home page.

Other then that there is no way to prevent the user from RELOGGING IN by using the back button to resubmit the form.
0
On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

 

Author Comment

by:Monica2003
ID: 8012629
Thanks for your comment!  I think you are very right.  Here's the general flow of my program:

1. User is presented with login.html (form).
2. login.html posts to login.pl.
3. login.pl creates session id, then generates body.html (embedding session id in its "href" links).

So, whenever I click the "back" button or click the "refresh" button, the browser is reloading "login.html/login.pl" which generates a new session id.  I don't know how to fix this problem with the method that I have chosen (embedding session id in links) because the login.pl generates the dynamic body.html page.  

So, I've now decided to store the session id in a cookie instead.  In login.pl, I can generate this information:

print "Content-type: text/html \n";

# Prevent page from being cached.
print "Pragma: no-cache \n";
print "Expires: Tue, 08 Apr 1997 17:20:00 GMT \n";
print "Cache-Control: no-cache \n";
print "Cache-Control: no-store \n";

# Set Cookie.
print "Set-cookie: sessionId=$sessionId; secure \n";

# Redirect browser to new page.
print "Location: body.html \n\n";

However, I have another problem now where the body.html page is being cached.  I thought that by setting the no-cache headers above, the page wouldn't be cached.  But the redirection is messing things up.  How do I fix this?

Thanks,
Monica
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 9050025
Please return to this question and update/finalize it.  If you've been helped, please select the comment which served you and grade it to award points and close this question.  You can split your points and award more than one expert if more than one was instrumental in helping you.

If more is needed, please let us know.  

If you need help from Community Support for special handling here's that link, along with "helpful hints" on questions here:
http://www.experts-exchange.com/Community_Support/
http://www.experts-exchange.com/help/qnaFAQ.jsp
http://www.experts-exchange.com/help/mistakes.jsp

In the event this question remains unresolved, and inactive by mid August, 2003, I will be asking a Moderator to finalize this.  EXPERT INPUT REQUESTED to determine the outcome here, if Asker does not finalize this.

Thank you,
":0) Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 9050026
Please return to this question and update/finalize it.  If you've been helped, please select the comment which served you and grade it to award points and close this question.  You can split your points and award more than one expert if more than one was instrumental in helping you.

If more is needed, please let us know.  

If you need help from Community Support for special handling here's that link, along with "helpful hints" on questions here:
http://www.experts-exchange.com/Community_Support/
http://www.experts-exchange.com/help/qnaFAQ.jsp
http://www.experts-exchange.com/help/mistakes.jsp

In the event this question remains unresolved, and inactive by mid August, 2003, I will be asking a Moderator to finalize this.  EXPERT INPUT REQUESTED to determine the outcome here, if Asker does not finalize this.

Thank you,
":0) Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10355654
Monica2003,
No comment has been added lately (196 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to AmericanDogma http:#7997072

Please leave any comments here within 4 days.

-- Please DO NOT accept this comment as an answer ! --


Thanks,
astaec
EE Cleanup Volunteer
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question