PDA

View Full Version : How to protect a page from being viewed by the browser "back" button



Benedizione
03-02-2008, 02:24 AM
I have a page that after logging out and then clicking on the "back" button on the browser will take you back into the page that I do not want to be accessible. What can I do to make that page impossible to view after logging out?

Dre

Nile
03-02-2008, 02:25 AM
Use cookies... are you using js or php?

Benedizione
03-02-2008, 02:27 AM
Use cookies... are you using js or php?
php

Do you mean that the person accessing the page whether from my computer or whatever computer being used to access the page would have to use "cookies"?

I thought that "cookies" left on the computer gave other users of that computer access to those pages?

Dre

Nile
03-02-2008, 02:29 AM
Cookies set an option to your browser, so you could make a cookie called 'cookie' and with 'cookie', has the value of 'hihihihi', then you could make your page echo :hihihihi
So cookies store data kinda.
Also can I see your code?

Benedizione
03-02-2008, 02:36 AM
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<!--
** DESIGN and COPYRIGHT BY: Prophecies of Revelation (C) 2003
** URL: propheciesofrevelation.org
** AUTHOR:
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Prophecies of Revelation</title>
<meta name="author" content="">
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="rating" content="General">
<meta name="revisit-after" content="">
<meta name="robots" content="">
<meta name="distribution" content="">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">

</head>

<BODY background="" bgcolor="#ffffff" text="#000000" link="#ffffff" vlink="#000099" alink="#999966" bgproperties="fixed">


<STYLE TYPE="text/css">
<!--

a:link{color: #0000CC}

a:link{font-size: 100%}
a:link{font-family: palatino, times new roman, courier}
a:link{font-weight: 700}


a:hover{font-size: 120%}
a:hover{color: #FF3333}
a:hover{font-style: italic}
a:hover{font-family: palatino, times new roman, courier}
a:hover{font-weight: 700}

a:visited{color: #888888}
a:visited{font-size: 100%}
a:visited{font-family: palatino, times new roman, courier}
a:visited{font-weight: 700}


A {text-decoration: none}

-->
</STYLE>


<?php
include('menu.txt');
?>


<table border="0" align="left" width="1100">
<tr><td><font face="palatino" size="3">




<a href="form.php">Post a Comment</a> | <a href="http://www.propheciesofrevelation.org/?logout=1">Logout</a>


<br><br>





<p align="justified"><small><font color="#99CCFF">
The King of Kings and Lord of Lords -- The Giver of the Holy Ghost in Acts -- The Word of God -- The Lamb of God -- The Devil's Defeater -- The Beginning and The End -- The Honey in the Rock -- The Staff of Life -- The Soon Coming King to Thessalonians -- The Redeemer From The Curse of the Law -- The Alpha and the Omega -- The Chief Cornerstone -- The Prince of Peace -- A Father to the Fatherless -- A Light For Those In Darkness -- Joshua's Captain of Salvation -- Elijah's Staff -- A Husband to the Widow -- Love in John -- Malachi's Son of Righteousness with Healing in His Wings
</small></p></font>

<!-- Site Meter -->
<script type="text/javascript" src="http://s31.sitemeter.com/js/counter.js?site=s31revelation">
</script>
<noscript>
<a href="http://s31.sitemeter.com/stats.asp?site=s31revelation" target="_top">
<img src="http://s31.sitemeter.com/meter.asp?site=s31revelation" alt="Site Meter" border="0"/></a>
</noscript>
<!-- Copyright (c)2006 Site Meter -->

</font></td></tr></table>


</body>
</html>

Nile
03-02-2008, 02:37 AM
No, the login script! lol!

Benedizione
03-02-2008, 02:39 AM
No, the login script! lol!
You mean this:
<?php include("/home/content/b/e/n/benedizione/html/password_protect.php"); ?>

Nile
03-02-2008, 02:44 AM
Yea, I want the script that lets you login!

Benedizione
03-02-2008, 02:51 AM
I cannot give you the password though. It's strictly confidential.

Nile
03-02-2008, 03:01 AM
You can replace the password with ***** just show mw the code please..

Benedizione
03-02-2008, 03:12 AM
<?php

###############################################################
# Page Password Protect 2.13
###############################################################
# Visit http://www.zubrag.com/scripts/ for updates
###############################################################
#
# Usage:
# Set usernames / passwords below between SETTINGS START and SETTINGS END.
# Open it in browser with "help" parameter to get the code
# to add to all files being protected.
# Example: password_protect.php?help
# Include protection string which it gave you into every file that needs to be protected
#
# Add following HTML code to your page where you want to have logout link
# <a href="http://www.example.com/path/to/protected/page.php?logout=1">Logout</a>
#
###############################################################

/*
-------------------------------------------------------------------
SAMPLE if you only want to request login and password on login form.
Each row represents different user.

$LOGIN_INFORMATION = array(
'zubrag' => 'root',
'test' => 'testpass',
'admin' => 'passwd'
);

--------------------------------------------------------------------
SAMPLE if you only want to request only password on login form.
Note: only passwords are listed

$LOGIN_INFORMATION = array(
'root',
'testpass',
'passwd'
);

--------------------------------------------------------------------
*/

##################################################################
# SETTINGS START
##################################################################

// Add login/password pairs below, like described above
// NOTE: all rows except last must have comma "," at the end of line
$LOGIN_INFORMATION = array(
xxxxxxxxxxxxxxxx,

);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', false);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.propheciesofrevelation.org/');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 0);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

##################################################################
# SETTINGS END
##################################################################


///////////////////////////////////////////////////////
// do not change code below
///////////////////////////////////////////////////////

// show usage example
if(isset($_GET['help'])) {
die('Include following code into every page you would like to protect, at the very beginning (first line):<br>&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
setcookie("verify", '', $timeout, '/'); // clear password;
header('Location: ' . LOGOUT_URL);
exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
<title></title>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<body>
<style>
input { border: 1px solid black; }
</style>
<div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
<form method="post">
<h2>This page is now password protected just for you,.</h2><br><br>
<h3>Who is your <br>(Capitalization counts!)</h3>
<font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Answer :<br />'; ?>
<input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Submit" />
</form>
<br />
<a style="font-size:9px; color: #B0B0B0; font-family: Verdana, Arial;" href="http://www.zubrag.com/scripts/password-protect.php" title="Download Password Protector">Powered by Password Protect</a>
</div>
</body>
</html>

<?php
// stop at this point
die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

$login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
$pass = $_POST['access_password'];
if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
|| (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) )
) {
showLoginPasswordProtect("Incorrect answer.");
}
else {
// set cookie if password was validated
// setcookie("verify", md5($login.'%'.$pass), $timeout, '/');

// Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
// So need to clear password protector variables
unset($_POST['access_login']);
unset($_POST['access_password']);
unset($_POST['Submit']);
}

}

else {

// check if password cookie is set
if (!isset($_COOKIE['verify'])) {
showLoginPasswordProtect("");
}

// check if cookie is good
$found = false;
foreach($LOGIN_INFORMATION as $key=>$val) {
$lp = (USE_USERNAME ? $key : '') .'%'.$val;
if ($_COOKIE['verify'] == md5($lp)) {
$found = true;
// prolong timeout
if (TIMEOUT_CHECK_ACTIVITY) {
setcookie("verify", md5($lp), $timeout, '/');
}
break;
}
}
if (!$found) {
showLoginPasswordProtect("");
}

}

?>

YouKnowWho
03-02-2008, 10:15 AM
You can use the
window.history.go() funtion to disable the browser's back button navigation... You need to add this in your page layout...



<script type="text/javascript" language="Javascript1.5">
window.history.go(+1);
</script>

But this is using javascript :(

Benedizione
03-02-2008, 02:44 PM
You can use the
window.history.go() funtion to disable the browser's back button navigation... You need to add this in your page layout...



<script type="text/javascript" language="Javascript1.5">
window.history.go(+1);
</script>

But this is using javascript :(
Thank you! This is exactly what I was looking for!

BLiZZaRD
03-02-2008, 05:57 PM
However, JS can be disabled. If I wanted to I could disable my JS and still use my back button, which, if you take functionality away from me, is exactly what I will do.

Use php Sessions. They are easier than cookies and the user never knows they were there.

You can set this up a few different ways, one of the easiest would to give the log IN page a session ID (meaning on the landing page after they log in).

When they log out, I assume they go to a page that tells them they logged out, on this page remove the session.

On all the log in pages check for session ID, if it isn't there, they get redirected to the log in page.

this page tells you more than you need to know (http://www.tizag.com/phpT/phpsessions.php)

Benedizione
03-02-2008, 07:01 PM
However, JS can be disabled. If I wanted to I could disable my JS and still use my back button, which, if you take functionality away from me, is exactly what I will do.

Use php Sessions. They are easier than cookies and the user never knows they were there.

You can set this up a few different ways, one of the easiest would to give the log IN page a session ID (meaning on the landing page after they log in).

When they log out, I assume they go to a page that tells them they logged out, on this page remove the session.

On all the log in pages check for session ID, if it isn't there, they get redirected to the log in page.

this page tells you more than you need to know (http://www.tizag.com/phpT/phpsessions.php)
I am not sure how you mean to create a "session ID"? Is this a code that I type in the header or something?

Benedizione
03-04-2008, 11:11 PM
Is there a straight forward formula that I can use to create a "session ID"? Or is this something more complicated that has to be written based on the other script on the page?

I was looking through the php.net and found this:


<?php
if (session_id() == "") session_start(); // if no active session we start a new one
echo $_SESSION['user_logged'];
?>


I have seen "session ids" in scripts before but never realized what it meant until now. I have no idea how to set that up on my site but would love to know.