Re: Session Security

From: nice.guy.nige (nigel_moss_at_deadspam.com)
Date: 07/20/04 

Date: Tue, 20 Jul 2004 12:41:15 +0100

While the city slept, bonehead (sendmenospam@here.org) feverishly typed...

[login script]
> 1. If a user, who has logged in successfully, navigates to another web
> site within the same browser session, and then attempts to use the
> Back button to return to the 'user_view.php' page within the same
> session,
> they will be redirected back to 'login.php' and required to log in
> again.

Hmm... My first thought was http_referrer, but that is not reliable. My
second thought, which may be better, was to pass a value to the page from
the links within your secure area, eg. <a
href="securepage.php?insite=true"> - then check to see if "insite" is set to
"true" in your pages. If not, log them out and redirect to the login page.
Still not completely secure though...

> 2. If the 'user_view.php' page remains static (i.e., no user
> interaction) for a fixed number of minutes (to be determined), the
> user
> is also redirected back to the login page.

When you start your session, write the current time stamp to the session.
Write a second value to the session which is the limit in seconds (so, for 5
minutes, 5*60 = 300). When a new page is opened, check the session, get a
new current time stamp, and if that is greater than the session time stamp +
the time limit, then the session has timed out. Log the user out and
redirect to the login page. Otherwise, write the new current time stamp to
the session and carry on. This is off the top of my head as I remember doing
it (fairly recently, but sleep and Marstons Pedigree have both occurred
since then!)

Hope that helps,
Nige 

-- 
Nigel Moss
http://www.nigenet.org.uk
Mail address not valid. nigel@DOG.nigenet.org.uk, take the DOG. out!
In the land of the blind, the one-eyed man is very, very busy!

Relevant Pages

  • Re: Logged in - Session timeout
    ... You have that info in a session, and then simply send them to: ... take any querystring info with it that you may need.... ... Now the users times out and you redirect them to your login page, ...
    (microsoft.public.inetserver.asp.general)
  • Re: Need to know when user logs in again.
    ... Why not do it in the Login page before you redirect after a successful ... Neither Session start nor that global.asax event are appropriate for this ... > I have a forms based authentication. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Page redirect
    ... The solution is simply save requested url in session and after user logged ... In my application, if someone enters url which requires login, am ... logging, i want to take the user to page from where he has been ... after logging, redirect user to questions/new ...
    (comp.lang.ruby)
  • Re: Session Management when launching "New" Window
    ... ASP.NET page creates a session object against our application ... session redirect to a different page rather than the login. ... redirect to a page with some javascript that checks if it's a child window ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)