I am creating a login system in PHP, but I had a problem where you could log out and then go back in the history and reload the page that processes the login POST data, and it would log you in. I added a hidden input with a random value to prevent logging in by resending the same data, BUT WHEN I RESEND DATA, BROWSER STILL ASKS TO STORE PASSWORD, even though my PHP code recognizes an attempt to sign in through page refresh. If I save the password during the page refresh it is possible to back up to the login page and login with saved password. I want to be able to allow user to save password except during reloading of login data. I don't want to use any JavaScript as it can easily be disabled in browser settings. I think I'm using PRG correctly.
Asked
Active
Viewed 345 times
0
-
You can't in modern browsers. – GrumpyCrouton Jul 18 '19 at 20:37
-
1Possible duplicate of [How to prevent a browser from storing password](https://stackoverflow.com/questions/41217019/how-to-prevent-a-browser-from-storing-password) – GrumpyCrouton Jul 18 '19 at 20:38
-
@GrumpyCrouton I want to allow password storage, except when resending form data – Zachary Thomas Jul 18 '19 at 20:41
-
1If you redirect the user after they log in (As in, user is on log in page, put in their details and press "login". Then, PHP should handle the login, then _redirect_ the user instead of just loading the page), users shouldn't be able to resend form data, even when going back in the browser. – GrumpyCrouton Jul 18 '19 at 20:42
-
What Grumpy says.. Do something like `if($loginSuccess) { header('Location: index.php'); exit(); }` – ArendE Jul 18 '19 at 21:00
-
Thank you so much @GrumpyCrouton ! I had to rearrange some things to get the header redirect to work before any html got loaded, but it works like a dream. – Zachary Thomas Jul 18 '19 at 21:15
-
@ZacharyRudzik Glad I could help – GrumpyCrouton Jul 19 '19 at 12:34