Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Disabling the browser back button? |
|
Author |
|
kr33
Joined: 19 Sep 2006 Posts: 64 Location: South Africa
|
Posted: Thu 02 Nov '06 12:44 Post subject: Disabling the browser back button? |
|
|
Hi,
How would I disable the web browsers back button, I only want the user to use the buttons i have in the webpages, to avoid them resubmitting data, especially data that will be uploaded and imported to the MySQL database.
I was told that, this can be achieved using javascript.
Can this be done, if so, how?
Thanks
Quote: | Every man has to go through Hell...to reach his Paradise |
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Thu 02 Nov '06 13:28 Post subject: |
|
|
You can save in your session how fare the user has clicked in the process of your forms.
e.g.
page 5
Code: |
$SESSION['page']=5;
.....
|
page 4
Code: |
if($_SESSION['page']==5){
die('you are not allowed to go back');
}
else
{
//do some stuff
}
|
|
|
Back to top |
|
kr33
Joined: 19 Sep 2006 Posts: 64 Location: South Africa
|
Posted: Thu 02 Nov '06 13:49 Post subject: |
|
|
That seems, logical and I understand perfectly what you are saying,
but i want to be able to literally disable the Web browsers back button and only allow my webpage buttons.
I know that there is some way, using javascript something like
Code: |
<script> history.forward() </script>
|
or something to that effect, but it isn't clear enough. Could you or anyone
else shed some light on this issue. I want to achieve maximum security on this sight, thats all and no loop holes, if you know what I mean.
Thanks |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Thu 02 Nov '06 14:32 Post subject: |
|
|
No it can't be done... else AJAX wouldn't have the backbutton of death problem. |
|
Back to top |
|
kr33
Joined: 19 Sep 2006 Posts: 64 Location: South Africa
|
Posted: Thu 02 Nov '06 14:36 Post subject: |
|
|
OK, thanks alot.
It was just brought to my attention that it is possible to hide the browsers toolbar, so the user will not be able to see/use the browsers back/forward buttons and to prevent them from pressing the backspace key as it has the same effect as clicking the back button.
How would you achieve that?
thanks again |
|
Back to top |
|
kr33
Joined: 19 Sep 2006 Posts: 64 Location: South Africa
|
Posted: Thu 02 Nov '06 15:51 Post subject: |
|
|
Here is a javascript function that may help with sort of "disabling" the browser back button
Code: |
<!--
function DisablingBackFunctionality() {
var URL;
var i;
var QryStrValue;
URL=window.location.href;
i=URL.indexOf("?");
QryStrValue=URL.substring(i+1);
if (QryStrValue !='X') {
window.location=URL+"?X";
}
}
//-->
|
Although i'm looking for a better way to do this. Hope sumone out there finds this sorta helpful and now understands completely of what i'm trying to achieve and could possibly have a better way of atleast achieving the same effect. |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Thu 02 Nov '06 15:52 Post subject: |
|
|
Just keep in mind any solution to hide a toolbar is going to require the browser to respond to the JavaScript requests to take this action. One thought I had was to make each web page they go to during what ever process they are going through that you wish to avoid the use of the BACK button, make it the same page such as:
index.php
...but you pass along variables to indicate which page they are on. In addition to this you could in theory use a cookie or a session variable to track where they have been, in essence you could then redirect them back to the page they were on -but- this would not be an easy solution if you were passing a large number of variables along.
It gets very complicated to avoid the use of the backbutton and it almost makes more sense to instead redirect the user to some page that makes them basically "start over" if they use the back button, but again this would require some tricky session management programming as I see it.
I delt with this a couple of years ago and found that when they press the back button the browser tries to pull the page out of cache, that is why I decided to use a single page for my entire web site and I pass GET and POST vars (depending on circumstances) along and using a tracking method I can kick them back to the login page if they misbehave. |
|
Back to top |
|
kr33
Joined: 19 Sep 2006 Posts: 64 Location: South Africa
|
Posted: Fri 03 Nov '06 9:10 Post subject: |
|
|
That makes perfect sense , and the truth of the matter is...that it is abit of a tricky and more often that not, a problem with abit of a complex solution.
Never-the-less, its a challenge, the javascript code i posted in one of the above messages basically achieves the same result as mentioned by you, that redirects the user to the same page and there by, causing them to redo whatever the did before.
What i've noticed as well is that, not all browsers support this kinda of scripting, which hides/disables browser buttons, so writing a script of this nature, can be somewhat of a tedious task.
If i find a solution to this, that works much more effectively and efficiently than the above, i'll post it up here.
Ciao |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Fri 03 Nov '06 19:07 Post subject: |
|
|
Just don't rely on JavaScript for any form of security or privacy, it will fail you whether by accident or by the bad intentions of someone.
Use JavaScript for efficiency, for easy of use, for error correction prior to form submissions and things like that. That is why I would rather see the burden placed on the server side scripting.
As an example, I was able to show proof of concept by using FF with the NoScript plugin. At a particular site, with the approval and witness of the webmaster (all ethical and legal here) I was able to login to my account, disable JavaScript, then in a form input some JS that could have created a redirect, or really anthing I wanted to do. Then I saved the data, which was supposed to be my profile such as name, interestes and so on, but in essence I was able to do what ever I wanted to.
Now on this server it checked to see if JS was enabled, and indeed at the time it checked I did have it enabeled but at the time I submitted the data it was disabled. Since there was no server side checking, I was able to deomonstrate a weakness in security that could prove to be costly in some way or another.
The server side technology is not important, in fact this site was a JSP (Java) based site. They relied completely on client side security with a stupidly placed check to see if the browser had JS enabled, that was the extent of the security.
This is an example of why I would never trust or rely on Javascript. |
|
Back to top |
|
kr33
Joined: 19 Sep 2006 Posts: 64 Location: South Africa
|
Posted: Mon 06 Nov '06 8:45 Post subject: |
|
|
Thanks
I will take that it account, all though, the site is purely PHP, the javascript is just for certain client side checks, infact only one check and that is to make sure that, the back button is "diasbled", all other security is done using PHP and is server-side.
I wouldn't rely on javascript or any client-side scripting for security, atleast not on its own.
Thanks for the advice, it's been a major help and has taught me ALOT over that past few weeks.
I just hope to develop web application that would be an example of the web development should be done.
Ciao |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Thu 15 Mar '07 10:37 Post subject: |
|
|
Hello!
I found a PHP solution, that worked for me. But you have to be very carefull where to put this code into your page! If done wrong, maybe no data will be saved or what ever.
Code: |
if (count ($_POST)) {
header ('Location: ' . $_SERVER['REQUEST_URI']);
die();
}
|
|
|
Back to top |
|
|
|
|
|
|