[eluser]CroNiX[/eluser]
[quote author="Davcon" date="1334483855"]Picture this:
You've been hired to build a website for an online bank. The site is going to contain a private area with highly sensitive information about people's bank accounts. One day a person goes into an online cafe to check her bank account. After she logs off, she goes to the Google homepage and leaves her desk, assuming that her details are safe. Next, someone else goes to the same computer, hits the back button and view all that sensitive information.
The bank soon gets word about this fault and call you (the developer) into their office for an urgent discussion. They tell you that they've received tonnes of reports of users being able to log off, hit the back button and still view sensitive info. The bank demands an explanation from you. So, you say:
"It's the browser's fault"
The bank manager then tells you that it's not acceptable to blame the browser since other other banks don't have that problem and their software uses the same browsers that we have to deal with. Then you say...
"Actually, it's not really that bad because even though they can view the page after they've logged out, it'll log them out once the intruder tries to click a button or a link on the private page. So, there's not really a problem here at all."
Can you imagine how that would go down? Your ass would be FIRED in a heartbeat and rightly so.
Still think there's not a problem with CI sessions, guys?
DC
PS - This is all said in a spirit of light hearted banter. I'm merely trying to run an alternative viewpoint past you. Peace and respect to you all![/quote]
And that will happen no matter what language they used unless they understand this is a browser cache issue and need to code appropriately using redirects, no-cache headers (can't be relied on as that is up to the browser to honor and hackers tend to use browsers that ignore them) and some other tricks.
A lot of people using this forum seem to have issues grasping basic X/HTML, let alone PHP or CI, and I have no doubt they will have this issue (no matter the session storage mechanism) since they don't understand the fundamental underlying problem to begin with. I code in PHP, Java and ASP.NET and this issue exists with all of them because it has to do with the browser, not the language or storage mechanism used. It's not up to CI sessions to solve this, or ASP.NET sessions or Java sessions because there is no one size fits all solution. It's up to the professional developers to understand the underlying issues on the web and prevent them in their "secure" apps.
"I'm sorry, person who signs my paychecks, I rely on a framework to solve my issues so I don't have to understand them or think for myself. The framework should have known this and fixed it for me." doesn't fly in the corporate world, either. And you're right; someone absolutely SHOULD be fired if they code a "secure" app as you described above because they obviously don't know what they're doing.