Security issue in PHP after logging in (using codeigniter)

Question

I am using CodeIgniter to build an admin system. But I am having a problem regarding security.

Let me give an example: A user succesfully logged in and gets redirected to the main page of the admin system. Now that users presses the "BACK" button in his browser. He now gets send back to the login page. He now presses the "NEXT" button and get send back to the main page of the admin system.

I don't want users to be able to get send back to main page of the admin system once they are at the login page after they are logged in. How can I achieve this.

Thanks in Advance,
Mark

EDIT:
Thanks for all the ideas, but no works for me. What I meant was, that when someone logs in he gets redirected to the main page of the system. Then he clickes on the "back" button that is left of the url bar at the top of the browser.

Try clearing cache on login page http://stackoverflow.com/questions/1037249/how-to-clear-browser-cache-with-php and check if user is authorized and redirect him if `$authorized==true`. — loler, Aug 14 '12 at 11:03
I got you mate. Just check for the session data in your controller index before loading the login form. If the session is set,directly go to main page. If not,open login form — Bhuvan Rikka, Aug 14 '12 at 12:09
I noticed that it works partly. It works, but only when I refesh the page. That doesn't happen when I click on the back button. So I have to find a way to reload the login page everytime — DijkeMark, Aug 14 '12 at 12:23

score 0 · Answer 1 · answered Aug 14 '12 at 11:04

0

Have your login page first check to see if the user is already logged in by checking the session.

If the user IS logged in, use a php redirect such as header (“Location: $URL”); where $URL is your main page.

answered Aug 14 '12 at 11:04

Delorean

491
4
17

score 0 · Answer 2 · answered Aug 14 '12 at 11:06

0

Simply use sessions on login page:

if(isset($_SESSION['admin_loggedin'])){
header("location: admin_index.php");
exit();
}

answered Aug 14 '12 at 11:06

behz4d

1,819
5
35
59

score 0 · Answer 3 · edited May 23 '17 at 11:48

0

Try clearing cache on login page How to clear browser cache with php? , check if user is authorized and redirect him if $authorized==true.

you can check authorization via checking SESSION or cookies or else...

edited May 23 '17 at 11:48

Community

1
1

answered Aug 14 '12 at 11:06

loler

2,594
1
20
30

score 0 · Answer 4 · answered Aug 14 '12 at 11:24

PHP will returns to the login page if it exists on cache and will not actually reloads from server, So we need to force PHP to load it from server when comes to the login page check. So you can use,

header("Cache-Control: no-cache, must-revalidate");

if(isset($_SESSION['user']))
{
      //Write your redirect code
}
else
{
      //Redirect to login page
}

in the page where you are check whether login exists or not. So that PHP will reloads each time from the server without loading from cache. And if session exists, you will be resirected to the corresponding page

Security issue in PHP after logging in (using codeigniter)

4 Answers4