i a have developed a web application using laravel5.When i logout from the application and click the back button i still see the pages i previously visited and when i click any of the links,the application requires me to login again.How do i disable the back button of the browser so when i logout and click it i only remain at the login page.
I have tried to implement normal session destroy in my controller and here is are my codes
//step 1.find the session
session_start();
//step 2.unset all the session variables
$_SESSION=array();
//step 3.Destroy the session cookies
if(isset($_COOKIE[session_name()])){
setcookie(session_name(), '', time()-42000, '/');
}
//step 4.destroy the session
session_destroy();
return redirect('auth);
Help please.
Thanks in advance.
Related
In a spring security application i am navigating to the login page and entering my credentials and getting logged in.Now again if i open a new tab in the same browser and navigate to the login url it shows me the login page.If I enter another users credentials and login my previous Jsession ID(ie: the one created in the previous tab) is getting overridden with the new jsession id.Upon refreshing the previous tab the session is overridden.
I want to implement that if a user is logged in already in the application, upon navigating to the url again in another tab on the same browser the homepage of the application should open.
Please advise as how I can accomplish that?
Since the server uses the cookie to map to the current session, you'd have to control how the browser sends cookies. Every time a request is sent to a website from a new tab, most browsers will send all the cookies it has for that domain. Since your server received the same session cookie, it will treat this request as being in the same session. There's no way it can tell the difference.
Therefore, as far as cookie-based web sessions go at least, you probably won't be able to force the creation of a new session upon opening a new tab.
I'm facing some security issue
I have two jsp pages(login page and after login) and I'm exploring them on Chrome.
After I login, the browser moves the page.
Then, if I press the back button on browser tab, the browser moves back to login page. However, The session from my previous login is still valid.
So, I can explore entire web freely by just removing '/login' from my url
What I have to do is..
if the browser moves back to login page, I should invalidate previous session.
In your login page you can check if session is set or not always like below :
<% if(session.getAttribute("user")!=null){
response.sendRedirect("your profile page");//redirect to some page
}
%>
In above code,if user is not null ,then it will go to your profile-page ,put this code in your login.jsp to prevent user to login again ,also don't forget to set your Attribute i.e : user
In my project I am using session destroy method which very simple way in Laravel 5.2 .
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => 10,
'expire_on_close' => true,
Now my question is when session destroy automatically or user close browser tab or close browser that time execute logout query. Is it possible execute logout function all cases?
My logout function
public function logout()
{
$user = Auth::user()->toArray();
$user1 = ActiveUsers::where("assinedto_id",'=',$user['_id']);
$user1 ->delete();
Auth::logout();
return redirect('/login');
}
I want to when session destroy or close browser tab or close browser that time run logout() function. Please suggest me. Thanks
The server does not know if the user has closed the browser window. You need to detect this event via javascript on the client side and notify the server manually.
See this answer: javascript detect browser close tab/close browser
Do this 'expire_on_close' => true in app/config.php if you want users session to expire or destroy only when the entire browser is closed not the tab.
If only the tab is closed it wont destroy the session except the entire browser is closed.
I implemented a LogOut button which logouts user from webpage. Server is Oracle HTTP server.
When clicked on LogOut it executes below procedure
PROCEDURE log_me_off IS
BEGIN
-- Open the HTTP header
owa_util.mime_header('text/html', FALSE, NULL);
-- Send a cookie to logout
owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
-- Close the HTTP header
owa_util.http_header_close;
-- Generate the page
htp.p('
<head>
<script type = "text/javascript" >
history.pushState(null, null, ''xna_hpms_ui.log_me_off'');
window.addEventListener(''popstate'', function(event) {
history.pushState(null, null, ''xna_hpms_ui.log_me_off'');
});
</script>
</head>
You have been logged off from the WEBSITE');
htp.anchor( 'http://www.google.com', 'click here to login a');
htp.p('<BR>bye');
END;
END;
/
Document I referred: https://docs.oracle.com/cd/B13789_01/server.101/b12303/secure.htm
Problem:
In Chrome, when i click on the Log Off button it Log Outs the user and after that when user try to refresh or try to open webpage in new tab a prompt appears asking for the login credentials, if the user clicks Cancel and Refresh the tab he automatically gets logged in. While this behavior is not in IE.
When there are many tabs open and user clicks Log Off button he gets logout from the current page while when navigate to other tab if he clicks anywhere he again asked by webpage to enter credentials while if he clicks Cancel and Refreshes the page he again got logged on without entering credentials.
Kindly Help
I recommend using Custom OWA and your own cookie as a means of authenticating users. Set up the DAD to authorize the schema using custom_owa. Then create the custom_owa.authorize package/function in your schema.
The custom_owa.authorize function will be called before each page is accessed. If it returns true the request is granted. If false, the request is denied.
This give you complete control over who can access what. So what you do is set your own cookie when someone logs into your website. Then in custom_owa.authorize check the cookie and return true or false accordingly.
When someone logs off, destroy the cookie or expire it.
I have two sites(Site1, Site2). What I want to do is that when I click on the logout button of Site1, Site2 will also logout if it a user has logged in on that site on the same browser.
The solution is to remove the session. That is possible for Site1, but it doesn't work on Site2.
So, is it possible to remove session value of a Site2 using the logout the button of Site1? Or could be, is it possible to remove all sessions found in the browser?