PHP Sessions vs. CI Sessions

[eluser]skunkbad[/eluser]
[quote author="Davcon" date="1334500631"]I'd love to try out Community Auth at some point. Did you build it yourself?[/quote]

Yes. I had originally hoped to have more coding partners, but the few that were interested had ideas that I didn't like. So, with the exception of Valums ajax uploader and some other imported scripts, its all my code. Its kinda nice being the lone coder in some respects.

[eluser]Davcon[/eluser]
Brilliant! With your permission I'll check it out when I have a few hours to spare.

[eluser]skunkbad[/eluser]
[quote author="Davcon" date="1334503914"]Brilliant! With your permission I'll check it out when I have a few hours to spare.[/quote]

You dont need my permission. Just download it and follow the intructions in the documentation. Link to Community Auth is in my signature. If you downlad the tip, you will have the most up to date version, already installed in Codeigniter.

[eluser]CroNiX[/eluser]
[quote author="Davcon" date="1334483855"]Picture this:

You've been hired to build a website for an online bank. The site is going to contain a private area with highly sensitive information about people's bank accounts. One day a person goes into an online cafe to check her bank account. After she logs off, she goes to the Google homepage and leaves her desk, assuming that her details are safe. Next, someone else goes to the same computer, hits the back button and view all that sensitive information.

The bank soon gets word about this fault and call you (the developer) into their office for an urgent discussion. They tell you that they've received tonnes of reports of users being able to log off, hit the back button and still view sensitive info. The bank demands an explanation from you. So, you say:

"It's the browser's fault"

The bank manager then tells you that it's not acceptable to blame the browser since other other banks don't have that problem and their software uses the same browsers that we have to deal with. Then you say...

"Actually, it's not really that bad because even though they can view the page after they've logged out, it'll log them out once the intruder tries to click a button or a link on the private page. So, there's not really a problem here at all."

Can you imagine how that would go down? Your ass would be FIRED in a heartbeat and rightly so.

Still think there's not a problem with CI sessions, guys?

DC

PS - This is all said in a spirit of light hearted banter. I'm merely trying to run an alternative viewpoint past you. Peace and respect to you all![/quote]
And that will happen no matter what language they used unless they understand this is a browser cache issue and need to code appropriately using redirects, no-cache headers (can't be relied on as that is up to the browser to honor and hackers tend to use browsers that ignore them) and some other tricks.

A lot of people using this forum seem to have issues grasping basic X/HTML, let alone PHP or CI, and I have no doubt they will have this issue (no matter the session storage mechanism) since they don't understand the fundamental underlying problem to begin with. I code in PHP, Java and ASP.NET and this issue exists with all of them because it has to do with the browser, not the language or storage mechanism used. It's not up to CI sessions to solve this, or ASP.NET sessions or Java sessions because there is no one size fits all solution. It's up to the professional developers to understand the underlying issues on the web and prevent them in their "secure" apps.

"I'm sorry, person who signs my paychecks, I rely on a framework to solve my issues so I don't have to understand them or think for myself. The framework should have known this and fixed it for me." doesn't fly in the corporate world, either. And you're right; someone absolutely SHOULD be fired if they code a "secure" app as you described above because they obviously don't know what they're doing.

[eluser]Davcon[/eluser]
Yawn.

[eluser]CroNiX[/eluser]
I would expect no less from someone who doesn't understand the problem.

[eluser]wiredesignz[/eluser]
@Davcon (aka David C)
That was a very ignorant reply.

You had better change your username again, because I suspect that this is the last time many of the dedicated forum members here will feel inclined to offer you assistance.

[eluser]jellysandwich[/eluser]
My team and I are actually trying to find a way to deal with this exact problem right now. How do you implement the redirects/no-cache headers for this?

For now, we've implemented a 30 minute timer which logs the user out. However, users can still press the back button to view the cached page. Obviously, none of the links/functionality work when they do, but they can still see the info on the page. The client wants to prevent this if possible.

(As much as it pains me to say it, the client wants to prevent this NOT because of security, but because the ajax calls screw up the styling on the page. *shudders* I, however, would like to learn for security reasons.)

[quote author="CroNiX" date="1334523494"]
And that will happen no matter what language they used unless they understand this is a browser cache issue and need to code appropriately using redirects, no-cache headers (can't be relied on as that is up to the browser to honor and hackers tend to use browsers that ignore them) and some other tricks.

A lot of people using this forum seem to have issues grasping basic X/HTML, let alone PHP or CI, and I have no doubt they will have this issue (no matter the session storage mechanism) since they don't understand the fundamental underlying problem to begin with. I code in PHP, Java and ASP.NET and this issue exists with all of them because it has to do with the browser, not the language or storage mechanism used. It's not up to CI sessions to solve this, or ASP.NET sessions or Java sessions because there is no one size fits all solution. It's up to the professional developers to understand the underlying issues on the web and prevent them in their "secure" apps.

"I'm sorry, person who signs my paychecks, I rely on a framework to solve my issues so I don't have to understand them or think for myself. The framework should have known this and fixed it for me." doesn't fly in the corporate world, either. And you're right; someone absolutely SHOULD be fired if they code a "secure" app as you described above because they obviously don't know what they're doing.[/quote]

[eluser]Davcon[/eluser]
All I know is that a guy who has well over 2,000 posts on a forum has just lectured me about what the corporate world wants.

Can anyone else see why that's a bit strange? Go on! Have a guess!

[eluser]Davcon[/eluser]
Wired - if you represent the official voice of Codeigniter or the official voice of this forum then please let me know and I promise you'll never see me here again.