Possible user security breach / bug?

This topic is locked

Possible user security breach / bug?	1/5/2009 2:18:23 AM
PHPRunner General questions
G GamezBeCJ author Hi, I just uploaded my application for the first time and I believe there is a possible security bug that is of concern. BACKGROUND INFORMATION: Application created with PHPRunner Enterprise Edition The database has 6 tables with a respective tab each one. The security is setup using the "Dynamic Persmissions" option on the "Security" screen. The username/password combination is stored in a database table specifically designated for this purpose and the passwords are encrypted. The application has been successfully tested on localhost running on my computer (Apache+MySQL - XAMPP) and everything works fine. Browser being used is Internet Explorer 7. PROBLEM DESCRIPTION: On a typical day of use, the databse will be accesed by different users with different permissions. The problem can be outlined as follows: User 1 logs in. User 1 works on some tables. User 1 logs out. User 2 logs in. So far everything works as expected. User 2 chooses a particular table from the menu. Here's where the problem happens. User 2 will get User's 1 screen/table view even if he's logging from a different computer and the "Logged on as" legend/label at the top of the screen will show User's 1 username!! Only after clicking the refresh button on his/her browser, the screen will display the proper information, in this case the one inteded for User 2. This will keep happening until User 2 has gone through all six tables and refreshed them at least once. What is of most concern is that some users will actually get "admin" screens on their browser when they see the tables for the first time ("List View"). QUESTIONS: Has anyone had this problem before? Might this be a PHP or Browser setting not related with PHPRunner (although I've checked everything). Is there an option on PHPRunner that forces the refresh of each page on loading or the elimination of cache data on the browser after logging out? Your comments will be appreciated.

Mark as Solved Mark as not solved

9 replies


G	GamezBeCJ author 1/5/2009
	UPDATE I checked using the application on Mozilla Firefox and the problem doesn't seem to be present.


J	Jane 1/5/2009
	Hi, please check settings in your browser (IE7). It seems your information are cached.


G	GamezBeCJ author 1/5/2009
	Hi Jane: Thanks for your reply. I thought about the same thing. It makes sense when the two users have logged-in into the application on the same computer, the browser will retain cache information about a previous session. What this theory doesn't explain is how a user is able to see past session information of a user that logged-in on a different computer. That makes one think that the problem is also related with PHPRunner and not only the browser. Also, one shouldn't depend on the user having certain settings on his computer/browser for the application to run properly, particularly when related to security. Is there a mechanisim built into the PHP files generated by PHPRunner to deal with this situation? Do you think it's a bug?


J	Jane 1/6/2009
	Hi, in general this happens when browser or proxi-server cache information. Try to do the following: open ..._list.php file, find this line: header("Expires: Thu, 01 Jan 1970 00:00:01 GMT"); 3. and add following code just after: header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache");


S	steveh 1/6/2009
	Jane, any chance of adding "Headers" as a global event so we can control which headers are sent (either that or add those headers to all the templates).


G	GamezBeCJ author 1/6/2009
	Thanks for the solution, I'll try it and see how it works. Other users have also been recently reporting that the links between tables behave erratically (i.e. sometimes re-loads old views, filtered views, etc) Steve: I had the same issue about having a way of globaly adding custom routines. In case is any use for you, what I've done is I modified the dbcommon.php file with an include(customfunctions.php) line to load my custom functions on every page. I'm still testing all this. As far as I've been able to see, dbcommon.php is called from every ..._list.php file which will be typically the initial point of entry for the user into the tables information. Regards,


S	steveh 1/6/2009
	No need to modify dbcommon, just add your code in the global section. However, this isn't really a solution to the headers as you've have to modify the templates each time you applied an upgrade so this really needs to go in as an event.


G	GamezBeCJ author 1/14/2009
	Hi Steve: I tried to use an include statement on one of the global events (specifically the Menu page: Before Display) and as soon as the user navigates away from that pages, the include looses scope and generates an error when trying to be utilized in other pages. That's why I initially suggested to manually include it in the dbcommon.php file as this file is always loaded on every page, that effectively means that including something there makes it available through the whole site. Regards ...


S	steveh 2/6/2009
	Not sure what you mean there, if you check, the global events are in events.php and events.php is included by..... dbcommon.php?

9 replies

Mark as Solved Reply