logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Disabling the browser back button?

 
Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner



View previous topic :: View next topic  
Author Message
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Thu 02 Nov '06 12:44    Post subject: Disabling the browser back button? Reply with quote

Hi,

How would I disable the web browsers back button, I only want the user to use the buttons i have in the webpages, to avoid them resubmitting data, especially data that will be uploaded and imported to the MySQL database.

I was told that, this can be achieved using javascript.

Can this be done, if so, how?

Thanks

Quote:
Every man has to go through Hell...to reach his Paradise
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 02 Nov '06 13:28    Post subject: Reply with quote

You can save in your session how fare the user has clicked in the process of your forms.

e.g.
page 5
Code:

$SESSION['page']=5;
.....


page 4
Code:

if($_SESSION['page']==5){
     die('you are not allowed to go back');
}
else
{
//do some stuff
}
Back to top
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Thu 02 Nov '06 13:49    Post subject: Reply with quote

That seems, logical and I understand perfectly what you are saying,
but i want to be able to literally disable the Web browsers back button and only allow my webpage buttons.

I know that there is some way, using javascript something like

Code:

     <script> history.forward() </script>


or something to that effect, but it isn't clear enough. Could you or anyone
else shed some light on this issue. I want to achieve maximum security on this sight, thats all and no loop holes, if you know what I mean.

Thanks
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Thu 02 Nov '06 14:32    Post subject: Reply with quote

No it can't be done... else AJAX wouldn't have the backbutton of death problem.
Back to top
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Thu 02 Nov '06 14:36    Post subject: Reply with quote

OK, thanks alot.

It was just brought to my attention that it is possible to hide the browsers toolbar, so the user will not be able to see/use the browsers back/forward buttons and to prevent them from pressing the backspace key as it has the same effect as clicking the back button.

How would you achieve that?

thanks again
Back to top
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Thu 02 Nov '06 15:51    Post subject: Reply with quote

Here is a javascript function that may help with sort of "disabling" the browser back button

Code:

<!--
function DisablingBackFunctionality() {
   var URL;
   var i;
   var QryStrValue;
   
   URL=window.location.href;
   i=URL.indexOf("?");
   QryStrValue=URL.substring(i+1);
   if (QryStrValue !='X') {
      window.location=URL+"?X";
   }
}
//-->


Although i'm looking for a better way to do this. Hope sumone out there finds this sorta helpful and now understands completely of what i'm trying to achieve and could possibly have a better way of atleast achieving the same effect.
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Thu 02 Nov '06 15:52    Post subject: Reply with quote

Just keep in mind any solution to hide a toolbar is going to require the browser to respond to the JavaScript requests to take this action. One thought I had was to make each web page they go to during what ever process they are going through that you wish to avoid the use of the BACK button, make it the same page such as:

index.php

...but you pass along variables to indicate which page they are on. In addition to this you could in theory use a cookie or a session variable to track where they have been, in essence you could then redirect them back to the page they were on -but- this would not be an easy solution if you were passing a large number of variables along.

It gets very complicated to avoid the use of the backbutton and it almost makes more sense to instead redirect the user to some page that makes them basically "start over" if they use the back button, but again this would require some tricky session management programming as I see it.

I delt with this a couple of years ago and found that when they press the back button the browser tries to pull the page out of cache, that is why I decided to use a single page for my entire web site and I pass GET and POST vars (depending on circumstances) along and using a tracking method I can kick them back to the login page if they misbehave.
Back to top
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Fri 03 Nov '06 9:10    Post subject: Reply with quote

That makes perfect sense , and the truth of the matter is...that it is abit of a tricky and more often that not, a problem with abit of a complex solution.

Never-the-less, its a challenge, the javascript code i posted in one of the above messages basically achieves the same result as mentioned by you, that redirects the user to the same page and there by, causing them to redo whatever the did before.

What i've noticed as well is that, not all browsers support this kinda of scripting, which hides/disables browser buttons, so writing a script of this nature, can be somewhat of a tedious task.

If i find a solution to this, that works much more effectively and efficiently than the above, i'll post it up here.

Ciao Wink
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Fri 03 Nov '06 19:07    Post subject: Reply with quote

Just don't rely on JavaScript for any form of security or privacy, it will fail you whether by accident or by the bad intentions of someone.

Use JavaScript for efficiency, for easy of use, for error correction prior to form submissions and things like that. That is why I would rather see the burden placed on the server side scripting.

As an example, I was able to show proof of concept by using FF with the NoScript plugin. At a particular site, with the approval and witness of the webmaster (all ethical and legal here) I was able to login to my account, disable JavaScript, then in a form input some JS that could have created a redirect, or really anthing I wanted to do. Then I saved the data, which was supposed to be my profile such as name, interestes and so on, but in essence I was able to do what ever I wanted to.

Now on this server it checked to see if JS was enabled, and indeed at the time it checked I did have it enabeled but at the time I submitted the data it was disabled. Since there was no server side checking, I was able to deomonstrate a weakness in security that could prove to be costly in some way or another.

The server side technology is not important, in fact this site was a JSP (Java) based site. They relied completely on client side security with a stupidly placed check to see if the browser had JS enabled, that was the extent of the security.

This is an example of why I would never trust or rely on Javascript.
Back to top
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Mon 06 Nov '06 8:45    Post subject: Reply with quote

Thanks

I will take that it account, all though, the site is purely PHP, the javascript is just for certain client side checks, infact only one check and that is to make sure that, the back button is "diasbled", all other security is done using PHP and is server-side.

I wouldn't rely on javascript or any client-side scripting for security, atleast not on its own.

Thanks for the advice, it's been a major help and has taught me ALOT over that past few weeks.

I just hope to develop web application that would be an example of the web development should be done.

Ciao
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 15 Mar '07 10:37    Post subject: Reply with quote

Hello!
I found a PHP solution, that worked for me. But you have to be very carefull where to put this code into your page! If done wrong, maybe no data will be saved or what ever.

Code:

if  (count ($_POST)) {
    header ('Location: ' . $_SERVER['REQUEST_URI']);
    die();
}
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner
Page 1 of 1