How to code security for Expires Page

Draff has asked for the wisdom of the Perl Monks concerning the following question:

I having a problem dear mighty monk. I am trying to wrote a website using perl in Apache server. that i need user to login with password to login to the server. and when logout/signout button (like most of the email system does) press how can i make all the previous page to be expires. i had use the "expires" in print header. but when i copy the whole http://.... id number..etc from the browser address, and then press enter. It still can direct me back to the page- To the page where actually i need to login only can view. I think i have abit misunderstanding with the 'expires'. So what can i do after the user have logout, and when the address of the page that visited is copy down and retyping in the browser address bar will be no longer accessable without login again. Do i really need cookies or is that any other way, coz i not fimiliar with the cookies stuff. Thank for the response, Thank you

Comment on How to code security for Expires Page

Replies are listed 'Best First'.
Re: How to code security for Expires Page by jorg (Friar) on Jun 06, 2001 at 15:45 UTC
You're looking to build a user session that is constructed upon logon and invalidated after a timeout or when the user presses 'logout'. Mind you that browser caching often can get in the way here so you need to be carefull. Generally there are three ways of building the notion of state (or session) for a webuser : Carry all your variables and userinfo around in hidden variables (NOT recommended) Cookies (NOT recommended because will fail if the user has cookies switched off) URL rewriting : Assign a unique sessionID to each logged on user and append this ID to each URL A supersearch on keyword 'session' reveals a lot of stuff that should send you on your way. Jorg "Do or do not, there is no try" -- Yoda	[reply]
Re: How to code security for Expires Page by pmas (Hermit) on Jun 06, 2001 at 17:48 UTC
I want to provide little more guidance. One more reason why not to use cookies: Cookie data are limited (I believe max 2K). For PDA it might be even less. It really should be only some kind of ID. How to use SessionID: You need to store sessionID in database. For each sessionID you'll store all needed information, like UserID (no need to put it into cookie). When user logs in, you'll check if s/he has a session, if it expired etc and read all info you thought you wanted to store in cookie. You may not allow new login before old session expired to avoid multiple persons accessing same data. If sesionID is valid, you may want to 'renew' expiration timestamp, so session will expire i.e. after 15 minutes idle. For valid new login, you create new sessionID (really big random number) and pass it on into every page in that session. Even if malicious user will try to subvert your security, there is little chance s/he will guess valid sessioID and be able to impersonate other user. Hope this helps. pmas	[reply]
Re: Re: How to code security for Expires Page by Anonymous Monk on Jun 07, 2001 at 14:51 UTC
How can i generated the session id coz IIS normally generate it for me but do cgi also done that. coz i really new in cgi-perl	[reply]
Re: How to code security for Expires Page by tachyon (Chancellor) on Jun 06, 2001 at 16:16 UTC
Unfortunately not all browsers respect the expires directive, you might try the following to add the no cache pragma to the headers when you output the login page: tachyon `# if using CGI.pm to generate output try: print $query->header( -type => 'text/html', -expires => '-1d', -Pragma => 'no-cache', -Cache-control => 'no-cache'); # if directly outputing try: print <<END_OF_HEADER; Status: 200 OK Expires: now Pragma: no-cache Cache-control: no-cache Content-type: text/html END_OF_HEADER` [download] This should generate a page expired message when you try to go back.	[reply] [d/l]
Re: Re: How to code security for Expires Page by Anonymous Monk on Jun 07, 2001 at 07:24 UTC
I have try up the code u send but problem is it still loading the page when i press the back button. The page only expired when that particular page haven't finish 100% loaded and i press other link, then i press the back button the expired page then only will show. Else the page 100% finish loaded then click to another webpage link and i press back, the page didn't expires.	[reply]
Re: How to code security for Expires Page by merlyn (Sage) on Jun 06, 2001 at 18:10 UTC
I've got a login/logout with a self-expiring cookie system in (you guessed it) one of my latest WT columns. Cookies done right, he says. -- Randal L. Schwartz, Perl hacker	[reply]
Re: How to code security for Expires Page by RatArsed (Monk) on Jun 06, 2001 at 16:19 UTC
You don't want an expires header, you'll be wanting a "Pragma: no-cache" header and "Cache-control: no-cache" header (to catch HTTP/1.0 and HTTP/1.1 client and caches) When specified, every request will be revalidated at the server, so, if you've destroyed your session object there, you'll want to tell the user to log in again...	[reply]