> -----Original Message-----
> From: Teresa Raymond [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, May 05, 2002 2:20 PM
> To: [EMAIL PROTECTED]
> Subject: logout
>
>
> I have the following script to logout, but when you push the back
> button on the browser you can have access to the database. I would
> like that not to happen.
>
> if ($inrequired=~/logout/i)
> {print "Content-type: text/html\n\n";
> print <<"PrintTag";
> <html>
> <head><title>Log Out</title>
> </head>
> <body bgcolor="#330099" text="#ffff00" link="#FF00FF" alink="#FFCC99"
> vlink="#FF0000">
> <center>
> <h3>Thank you!</h3>
> <p><a href="$url"> $company Home Page</a> <br> <a
> href="$urlcwnverify">Log into Apartment/Restaurant/User Info
> Databases</a>
> </p>
> </center>
> </body>
> </html>
> PrintTag
> exit(0);
> }
> else
> {print "Location:http://traymond.hypermart.net\n\n";;
> exit(0);
> }
You cannot "control access to the database" by controlling the
client's navigation path between pages. If you want to prevent
the client from caching the results of a request, this can be
controlled with the Expires: and Cache-Control: response headers
to some extent.
In order to have a login/logout concept, you have to take steps
to actively manage a "session" within your pages. The basic idea
is:
1. Server receives a request and looks for a piece of
information identifying the users's session (call it
a token).
2. If the token isn't found or isn't valid, redirect to
a "login" page. When client submits credentials,
create a session token and return it to the client
and arrange for it to be submitted with all future
requests.
3. If user "logs out", expire the token on the server
side and notify the client not to pass the token any
longer.
There are several ways to have the client pass the token
with each request, including:
a) use a cookie
b) use hidden form fields
c) use path info in the request URI
You might want to look at the Apache::Session and related
modules on CPAN. They have methods for managing the token
in a variety of ways.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
