I can't go back after getting search results im my website. I always get this:
Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.
To resubmit your information and view this Web page, click the Refresh button.
My programmer says he doesn't know the reason, but I think he does, but doesn't tell me. The search is is PHP, using MySQL. Any thoughts what is happening?
1. It's a known problem in IE(Internet Explorer). You have to disable the option "Tools >> Internet Options >> Advanced >> Security >> Do not save encrypted pages to disk" in your IE settings. Try the same page in Firefox, it may work for you.
2. Your programmer might have used "cache-control" header in the program.
AssistanZ - Beyond Boundaries... Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development
POSTed information is not resent when you hit the back button on your browser.
You can try this very simply by creating two forms -- one using method GET, one using POST, then try and see which one gives you an error when you try to hit 'back'.
By the way, as a curious side note, notice how major search engines list the query in the address bar (ie, use GET). This is so you can easily bookmark searches. You can't do that with posted information.
For example with Google, you can type your search term after q= as in the following:
the key values and GET access strings are stored in log files of the servers and also they can be saved in user machine in simple text format, that's why it's unsecure to use GET for sending any parameters, except "View-Control".
Could you explain more how "get" affects security?
In addition to what Zemnon posted, another way to look at this is that user agents (the term that is used for any client) will not allow re-fetching of a posted request -- as evident by this problem -- and usually will give a security warning.
Such warnings are not displayed for get requests. A simple way to illustrate a problem. Suppose that you are coding a financial website to sell stocks. You got 128 bit SSL and all the other stuff, and your final step purchase script looks like:
Using .php here as an example, this problem is not language specific.
Someone could simply request:
Your script would happily accept those values and confirm the purchase.
Another example more towards what Zemnon was talking about, suppose you have a login script:
Firstly, a user can bookmark that URL and be logged into your system. If that user is away from their station, anyone else can login by simply clicking on their bookmark. Or, a under-paid server monkey can scan the logs and pick up on your username and password! Worse still, some server setups have online access to view log files, and such information would be out there flapping in the wind.
Hopefully, this helps clear up the issue
In order to understand recursion, one must first understand recursion.
If you feel like it, you can read my blog
Signal > Noise