While making admin panel, one must disable the browser's back button after signout.
These are the loopholes left by many a programmers in their programming paradigm.
One of this loopholes can be overcome by disabling the back button, place this code in the head section and the user can't go back and refresh the page to move himself into the Logged In session once again even after the logout has been performed:
<head>
<title>Welcome to the Secured Admin Panel</title>
<script language="JavaScript">
javascript:window.history.forward(1);
</script>
javascript:window.history.forward(1);
</script>
</head>
What happens under the normal programming architecture that when a user has logged in the entire data being passed into the server is being stored into the browser. Now even when a user logs out, one can easily use the back button to reach the login home page and press F5 to login into another session without having to enter the userid/password combination. However this is possible only if the browser hasn't been closed thereafter. So because of this loophole, one need not destroy the SESSION on logout as this won't solve this potential risk. So just changing the SESSION logged in variable to unset works exactly the same. The thing is to restrict the new visitor of that browser from using the back button for that domain.
There is much more needed to develop the secured login mechanism. For that one needs to catch each session id as well as server side SESSION variable trackback to maintain the unique login id whenever a user logs in and change that variable value on the logout action so that even the back button with the associated refresh action even can't result into the new login session. And in this case the user will have to again login to the admin panel by entering the required login credentials once again from the scratch.
| Related Links: | |
No comments:
Post a Comment