When a user logouts on my website it redirects them to the home page. But if they hit back in their browser it still has them as logged in. (logged in features don't work, as expected)
To counter this I was thinking about setting up the if(isset($_SESSION['signed_in'])) in a seperate file called by ajax, which would do a fresh reload even if the user hit back. But, would this cause any kind of security issue?
Basically use Javascript to check if user is signed in and to signout a user.
Is there a better way to do this?
Log in/out is pure PHP atm, no javascript involved.
Yeah as adeneo says, check if the browser loads your page from cache.
If it don't then check your log out code, be sure that you destroy the session or at least unset the session data used to check if user is logged.
I'm not sure to have completely understand your issue
Good luck
Related
When the logged-in user clicks on the browser back button, he falls back to the login page from the main page he entered. And this happens without being routed in any way and running the controller functions because the browser's cache is loaded. I tried to clean all cache via middleware, but it didn't happen. Then, if the user tries to fill in his information from the login page and enter again, 419 page expired error is coming. I tried to do this with session checking method. I gave a key to the session, but the controller didn't recognize the key in the session because it didn't work. I looked through the history library (history.js) but couldn't find the solution as I wanted. My aim was to log out when the user presses the browser back button and show a box like Are you sure you want to exit, and then allow him to log in again. unfortunately, I couldn't do this in laravel I really need help and I can't find solution I think it can be done with AJAX or JS but I'm not sure. I am suffering from this situation for days. Your help will be rewarded. Thank you to everyone who has already read.
I have a problem and after some research online was unable to find other people with this same issue.
I'm designing a site that has sensitive data the user's work with in the page content. It uses CodeIgniter as well as CodeIgniter's session and cookie implementations to track user activity and determine when a session has expired. when sessions expire, the user has to log in again either through a sign-in portal or through a sign-in popup.
My issue is if someones working on their computer then just gets up and walks away from the browser, the session expires, but they didn't realize the session would expire then return to their computer to finish their work. There is a regular ajax call that checks if the user has been inactive, and if the time threshold is reached their session data will be erased and the session is no longer active. There is then a popup window prompting the user to sign in again if they want to keep working.
The problem is, how do I protect any sensitive data in the HTML in the meantime? You might think if the session expires just redirect the user away from the page, but if they're in the middle of something I don't want to erase all of their work. I could try just hiding the HTML using javascript, but then someone could just open the inspector to see the HTML. is there some way I could prevent anyone from seeing the page data at all unless the sign in a popup is completed?
Thanks for any input.
I don't know of anyway to protect their work like you're asking.
I'd suggest saving the users work in a draft format, as they enter it. Then if they walk away and get logged out it doesn't matter, the work is still there when they log on next.
I am using Casperjs to Login in my Amazon Account and retrieve some data.
But once in a while I get Captchas on the login. So casperjs display to me the captcha and I manually return the solution so it can submit the form.
The problem is that CasperJS gets immediately another captcha, this time it's more difficult. I resolve this too, but another captcha appears... and so on indefinitely...
I don't do anything special, just some casperjs fill and click.
Casperjs loads in the page an external js file with the captcha solution, and then submit.
I am sure that the right captcha is submited.
How can Amazon be so sure to trap me in an infinite loop?
Consider how it looks from their point of view. They can tell a robot is accessing your account based on mouse and keyboard interactions. A human will scan the page and move their mouse randomly while searching for the login buttons. Your script jumps directly to clicking the selector.
When a captcha appears, you fill it in. This does not prove you are a human. This simply proves that your robot can alert you to a captcha for a human to fill in. The rest of the interactions are all done by a robot, and Amazon is fully aware of this. You can answer as many captchas as you like, but the interactions to get this far are still going to be flagged as a robot.
You may want to go down a different route, like having a cookie to start a CasperJS session with your account already logged in. Alternatively, does Amazon provide any sort of API to pull out the value you're interested in?
They're blocking your robot out of geniune love and concern, if that makes you feel any better!
Unfortunately this is not an exact science, so probably there is no such thing as a general, durable solution. Amazon.com uses different techniques to check if you are a robot, including browser fingerprinting, cookie challenges and user behavior profiling (mouse movements and so on).
I would try first to randomize some part of the user agent, only to see if that works. And I would also try a full headless browser like Chromium, using Selenium to allow the script to talk with it.
Can I ask how frequently are you trying to crawl your account? I think it shouldn't be a big deal if you are doing that one a day or so.
Some pages remember input via Back/Forward. So you can copy your stuff. I imagine thats tricky.
I don't know any coding languages so as an outsider:
Isn't it easier to just trigger a login popup on top of whatever you are doing when your sessions has expired and you use an action that requires you be logged in?
I need to know if thats hard or the guy who's doing my webpage is bullshitting me for cash.
(obviously don't get into any pop-up blocking cases - assume popups are allowed.)
To clarify:
If we make a cookie that effectively re-logs you every time your session expires, we might as well make sessions never expire. The point is to - every now and then ask the user for credentials without wasting their current page input. Thats why I asked if instead of redirecting the user to login or disabling the page, can't we just trigger a login inside a new pop up? I haven't seen it done very often on the web thats why I asked if its complicated.
There are several ways to go about doing this. As far as coding ability personally I wouldn't say it's difficult enough to charge you an arm and a leg, but the complexity does depend on the language, the organization of the site, and along with those things, it's completely relative depending on who you've hired.
I guess to give you an example of storing information locally when a user visits a website using javascript you can do the following:
// Store
localStorage.setItem("lastname", "Smith");
// Retrieve
document.getElementById("result").innerHTML = localStorage.getItem("lastname");
for a more in depth look at that example you can check out http://www.w3schools.com/html/html5_webstorage.asp
Probably, your problem can be solved very easily with the use of cookies in you page. Setting cookie will let the user logged in for the specific time as specified by the programmer.
If you are sure you just want some action to do if login session expired, then you need not to let the user perform some other action. Just store the relevant information in cookies instead of Session and user will be logged in.
Ask the person you hired for making the use of cookie.
For more details on how to work with and about cookies, visit this link
In my web application, I'm providing a link, clicking on which goes to another page, shows some data,popups a page and goes back using javascript back() function.
It was working fine but it fails in certain cases. For example, this link appears after a form submission also. When the back() function is called here, the Webpage Expired message is shown because it was a POST operation.
How can I go back to the previous page using javascript in this situation?
Please provide your inputs...
You can't do anything about page expiration from JavaScript - that's how the browser opts to protect the user from re-submitting the form accidentally.
You could use the POST/Redirect/GET approach, depending on how your application works, to ensure users always land on a GET after submitting their form, so you always have a valid state to go back to.
To be honest, 99% of the time using the back() functionality in JavaScript is an indication something's wrong in the underlying approach. It's just too fraught with problems to be workable, as you're seeing here. You might get further if you start a new question to describe what you're trying to accomplish. There's a lot of really smart people around here who can all put their heads together and help you come up with something.
Can you explain why you need to navigate to the previous page using client-side script? I'm assuming it's because the user may be arriving at this page from various other pages and you want to direct them back to the page they came from. You could always store the user's previous page URL in a session or cache object and direct them back to that URL in server-side code. Or, if you know where they will always be coming from, direct them back to a static URL. I may be able to offer more assistance if you offer more details.