Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
well i m facing problem with the sessions in PHP.
i m developing PHP based MTP , for which i require session info to be passed between diff php files.
my first prob is related with security, when i create a session my session info is kept in a file in /tmp and is accessible by root. i want to restrict root to access this info as it contains some secured information.
my second prob is when i log out of my service, a logout script is called that will unregister variables and destroy sessions but when i click the back button in my browser, browser displays the prev page, ie page which can only be accessible by authorized user.
For your first problem, I'd say move that session directory to somewhere else than just /tmp , like somewhere just outside your document root. (Edit your php.ini file like mentioned above). root owns, you can't prevent root from doing anything, so locking down a file from him isn't possible.(without something like a pbmaster type of root-management system, I'm not sure) You can however, lock out just about anyone else, so set permissions on the directory your writing them too. Just make sure whatever user apache is running as for your site, has permissions.
For the second problem, take a look at 'no-cache headers'.
In php, I believe: header("Pragma: no-cache");
that'll tell the browser (and proxies) not to cache your data. You can force a refresh of the secure page right after the logout, forcing the browser to re-request from the server. The server will deliver a new version of that page (the 'i'm logged out version') , rewriting it's cache.
I don't claim these are the only solutions, nor that they are note-perfect. Search for 'no-cache header' on google and read up.
Hope that helps.
I don't think it's a question of cache here, I think sashhoney just doesn't want the page to be displayed again when a user has logged out. So not even without session data. That is why I suggested checking a session variable.
But maybe I misunderstood the question, that's possible too.
Yeah, I'm not sure then that I understand it completely either.
The problem with checking a session variable is that
the check is server-side. When the user hits 'Back',
the browser is delivering the cached version. There is
no data sent to the server for it to verify.
Don't get me wrong, checking sessions is the way I prefer to do things. However, a user having access to page they
just logged out of is not big concern for me in most of my applications. He just seems to be particulary concerned about
this, so that's my suggestion.