PHP/MySQL: Secure logging in on public computers? (solved)
-
- Posts: 8
- Joined: Sun Mar 08, 2015 4:18 am
PHP/MySQL: Secure logging in on public computers? (solved)
My game checks the user's email and password against its database.
So it might send you to http://www.mygame.com?emailadd=gra33@ya ... rd=green45
If gra33@yahoo.com's password wasn't green45, the page would give an error message.
However, if someone is playing on a public computer and someone else uses the back button on the same computer, they'd be able to get in.
Is there an easy way to stop this?
So it might send you to http://www.mygame.com?emailadd=gra33@ya ... rd=green45
If gra33@yahoo.com's password wasn't green45, the page would give an error message.
However, if someone is playing on a public computer and someone else uses the back button on the same computer, they'd be able to get in.
Is there an easy way to stop this?
Last edited by jameshutchings on Wed Apr 22, 2015 3:35 am, edited 1 time in total.
- vitinho444
- Posts: 2825
- Joined: Mon Mar 21, 2011 4:54 pm
Re: PHP/MySQL: Secure logging in on public computers?
Instead of $_GET use $_POST method, the data exchanged between pages won't be visible on the URL.
-
- Posts: 8
- Joined: Sun Mar 08, 2015 4:18 am
Re: PHP/MySQL: Secure logging in on public computers?
Thanks- but can you give me an example of how to do that?
- vitinho444
- Posts: 2825
- Joined: Mon Mar 21, 2011 4:54 pm
Re: PHP/MySQL: Secure logging in on public computers?
Sure.
So in your form (the login form) where the user will type his username and password you should have:
change that 'GET' to 'POST'.
Then in the page where you handle the information (the same page that is in the "action" attribute of the form) you simply change $_GET for $_POST like:
You should have:
You now change to:
Hope it helps
So in your form (the login form) where the user will type his username and password you should have:
Code: Select all
<form ... method="GET">
Then in the page where you handle the information (the same page that is in the "action" attribute of the form) you simply change $_GET for $_POST like:
You should have:
Code: Select all
$username = $_GET["username"];
Code: Select all
$username = $_POST["username"];
Hope it helps
- Jackolantern
- Posts: 10893
- Joined: Wed Jul 01, 2009 11:00 pm
Re: PHP/MySQL: Secure logging in on public computers?
Also, if the site's content is particularly sensitive (such as college work/grades, medical info, banking info, etc.), it is a pretty common practice to advise the user to close the browser tab after they are done. You can even attempt to close it for them once they log out, but most browsers don't allow you to do that anymore without a confirmation.
The indelible lord of tl;dr
- vitinho444
- Posts: 2825
- Joined: Mon Mar 21, 2011 4:54 pm
Re: PHP/MySQL: Secure logging in on public computers?
What does closing the tab do Jacko?Jackolantern wrote:Also, if the site's content is particularly sensitive (such as college work/grades, medical info, banking info, etc.), it is a pretty common practice to advise the user to close the browser tab after they are done. You can even attempt to close it for them once they log out, but most browsers don't allow you to do that anymore without a confirmation.
- Jackolantern
- Posts: 10893
- Joined: Wed Jul 01, 2009 11:00 pm
Re: PHP/MySQL: Secure logging in on public computers?
In all reality, today with Chrome and other major browsers that allow the re-opening of closed tabs, not much. But before that feature existed, it destroyed the state of the browser tab, including the ability to use the back button for a second user on a public computer from backing into the session of the first person who used the computer.vitinho444 wrote:What does closing the tab do Jacko?Jackolantern wrote:Also, if the site's content is particularly sensitive (such as college work/grades, medical info, banking info, etc.), it is a pretty common practice to advise the user to close the browser tab after they are done. You can even attempt to close it for them once they log out, but most browsers don't allow you to do that anymore without a confirmation.
The indelible lord of tl;dr
- vitinho444
- Posts: 2825
- Joined: Mon Mar 21, 2011 4:54 pm
Re: PHP/MySQL: Secure logging in on public computers?
Oh, I see. But I think that using and then redirecting using a they cant go back to the session right?
Code: Select all
session_destroy()
Code: Select all
header()
- Jackolantern
- Posts: 10893
- Joined: Wed Jul 01, 2009 11:00 pm
Re: PHP/MySQL: Secure logging in on public computers?
They can't, correct. I think it was just a precaution against old data being shown that was already downloaded.
The indelible lord of tl;dr
- vitinho444
- Posts: 2825
- Joined: Mon Mar 21, 2011 4:54 pm
Re: PHP/MySQL: Secure logging in on public computers?
I get it
Thanks
Thanks