Re: [Phplib-users] Re: Phplib-users digest, Vol 1 #90 - 1 msg
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Re: Phplib-users digest, Vol 1 #90 - 1 msg
|
From: Layne W. <la...@of...> - 2001-12-10 16:43:31
|
> On Mon, Dec 10, 2001 at 05:54:58AM -0500, Patrick Haggood wrote:
> > Is there a better way to log someone out from your pages?
> I'm having
> > intermittent security holes popup when someone logs out
> from my pages
> > but then hits 'back' a bunch of times.
Can you be a bit more specific? Is the user re-authorized as himself? as
someone else?
For my needs, $sess->delete() is all the logout I need - I don't bother with
$auth->logout(). (I did use it at one point in time, but abandoned it due to
a few irregularities {they may have been my fault, but my current setup
works fine so I don't worry about it}.)
> The ACS/OpenACS v4 software (OpenACS.org) solves this problem by
> generating a one-time hash value with an embedded timestamp that goes
> into a hidden field in the login page form. Any attempt to login a
> second time with the same name, password and hash value is refused
> somehow. I don't know how the system determines that the hash value
> is being used a second time.
PHPLib's Challenge/Response Crypt auth extension does the same thing. The
distributed local.inc has all you need to do this.
Layne Weathers
Ifworld Inc.
|
