browser back button issue!

n3wb!e · #1 (**permalink**) 02-28-07, 12:27 PM

Hello everyone,

i am working on a password reset page. i am sending a link to reset/change the password for the registered users through mail. whenever the user clicks on the link, hes taken to a page where he can change his password. after submitting the form, the user can click browser back button and can change the password again. i dont want this to happen. it should either give him a msg saying he has already changed his password or something like that. can anyone help me with this regard ? any logic/code wud be helpful..

Thanks.

job0107 · #2 (**permalink**) 02-28-07, 01:20 PM

If you use the <body>s onunload event you can alert them that they have already changed their password. Or send them to a different page. Etc...

n3wb!e · #3 (**permalink**) 02-28-07, 01:51 PM

first of all, thanks for ur time.. umm..but i dont think u got what i was trying to say.. umm.. say i have 5.php which has 2 form elements. 1. <input type="password" name="password"> and a submit button. whenever submit button is pressed, it validates for password's length and all, then takes him to page 6, where the password is updated in the table. (6.php just has an update query). wats happening is, whenever user enters a password and clicks on submit, his password is updated. he can then use his browser's back button to get back to 5.php and change the password again. i dont want that to happen. i even redirected 6.php to some other page say 'success.php' using header, but, nothing happend !?!

bizzar528 · #4 (**permalink**) 02-28-07, 01:56 PM

Maybe require that they enter their old password in conjunction with the new one. Then, on page6, run the logic to make sure they aren't setting it to a different password without validating the current one.

n3wb!e · #5 (**permalink**) 02-28-07, 05:00 PM

its a password reminder page. a user will come to this page only if he doesnt remember his password.

job0107 · #6 (**permalink**) 02-28-07, 05:11 PM

In the <head> in 6.php insert this code and try it.

Code:

<script>
function login_here()
{
 alert("To request your password again\nYou must login again.");
 location.href = "login.php";
 }
</script>

And be sure to have a <body> tag like this:

Code:

<body onunload="login_here();">

Change "login.php", to the page you want to goto.

Nico · #7 (**permalink**) 02-28-07, 05:22 PM

I wouldn't rely on Javascript for things like this.

But why is that bad anyway? Why can't he change the password again?

You could add a field to the users table, and when you send the email, generate a random code and send it with the email to the user and add the value to the field in the database. So the link looks like this more or less:

http://example.com/forgotpass.php?hash=hIkw8302

Then before updating the password, you check if the value in the field matches the one given in the URL.

If it does, update the password and set the value in the database field to 0 for example.

Make sure that the user can't add the 0 manually to the URL and change the pass whenever he wants to.

job0107 · #8 (**permalink**) 02-28-07, 07:19 PM

Nico is right, using the database look-up would be alot more versitle and secure.

n3wb!e · #9 (**permalink**) 02-28-07, 09:46 PM

thank you all.. i am doing the same thing what nico has said.. but while changing password, i am not updating the table(setting the value to 0 as he said here). but i am adding a new row to the table. (the table is basically a log table to know what the consumer is upto !).. whenever a user requests for password, before sending him the mail, i am inserting a row in the database(with some random number and his password request time). when he clicks on the link, i am validating if that random number exists in the table. if it does, then i m showing him the password page. after changing the password, i am not updating the table, but i am inserting a new row(saying, the user changed his password @ this time).
i m validating if the user has already changed the password by doing the following.

PHP Code:


			
$id=$_GET['id'];  // from the query string

$sql = mysql_query("select * from user_logs where consumer_id='$id'",$conn);

$rows=mysql_num_rows($sql);

if($rows > 1){   // if he has requested for the pass and has changed it. 

//There will be only one entry if the user has just requested for the pass ! 

//if there are more then one entry, then he has changed his password.

echo "You have already used this link to change your password.";

exit;

} else {

// show password field

//submit

}

actually, whenever i change my password and click on back button, it shows the password field again! But when i refresh the page, it gives me the message saying "You have already used this link to change your password." why is that so ?

Thanks.

Nico · #10 (**permalink**) 03-01-07, 02:12 AM

It's cause your page is being cached. Try sending these headers on the page.

PHP Code:


			
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') .' GMT');
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header('Cache-Control: post-check=0, pre-check=0', false);