A quick question for a great script: I have noticed that the browser cache keeps the userid and password so that anyone who clicks on the "Back" button can log into the system again, even after logging out. This is an obvious security problem.

Is there a way of clearing the browser cache upon logout w/o using cookies? I thought of using Javascript to open my database in a separate window that closes on logoff, but is there a way to address this problem in Perl w/o using Javascript?

This question was discussed by someone else at http://www.gossamer-threads.com/perl/gforum/gforum.cgi?post=122984;guest=52724#122984 . Unfortunately the answer isn't posted there. It says the person found it in the FAQ, but I couldn't find it there.

Any suggestions? Thanks!

This section of the 'unofficial FAQ' http://webmagic.hypermart.net/dbman/admin.htm has several relative posts regarding sessions.

Good Luck, -Mike.


<later on>
here are the specific topics:
*True Logoff (by JPDeni)
*Add-on to logoff
*Kill Session-ID (logoff)
*Session ID - Expire after (logoff)
*Logout problem

I think the one tittled "Kill Session-ID (logoff)" is the one that'll help your situation.
</later on>

Thanks for the speedy response and for the tip. That unofficial site is a little tricky to navigate but I found the tip you referred to. As the "Kill Session-ID (logoff)" tip says, in db.cgi I replaced
elsif ($in{'logoff'}) { &auth_logging('logged off') if ($auth_logging);
with
elsif ($in{'logoff'}) { &auth_logging('logged off') if ($auth_logging);unlink ("$auth_dir/$uid");

However, it doesn't seem to be working properly. Some info still gets stuck in the browser cache. Here's what happens:
(1) When I click on the Back button on my browser after logging off, the pages viewed during the last session still appear.
(2) If if I click on a previously viewed page by clicking on the Back button after logging off AND I either reload the page or view another page not viewed in the previous session, I get bounced to the login error page with the invalid/expired user session message.

Thus, it appears to allow you only to view previously viewed pages, but you can't modify them or go to other pages. Ideally, once someone clicks on the Back button after logging off, he/she would get bounced to the user session expired page.

Thinking this might be conflicting with previous mods I've installed, I tried reloading the original DBMan to another site (http://www.ogiek.org/scripts/db.cgi) and just added the unlink ("$auth_dir/$uid"); mentioned above. The same problem appears.

I tried installing a "true logoff" mod (which removes the session file for the user when he logs off the database) on the site I'm working on (not the site mentioned above) but that didn't seem to change anything.

Any thoughts? Thanks!!!

- b-man

I just recently moved several of the log off threads into a new FAQ database,
and remember it stating that for the True Logoff to work your visitors would have to click on logoff to exit the database.

I know the solution is there, but I've been through over 200 threads in the redesign of the FAQ that I can't remember which of the threads the solution was stated in.

It's much easier now to search within the database to find exactly what you need.
Hopefully before long all the thread references will be moved.


Unoffical DBMan FAQ

http://creativecomputingweb.com/dbman/index.shtml/