Results 1 to 14 of 14
  1. #1
    Join Date
    Feb 2005
    Location
    Lithuania
    Posts
    78

    Can't go back in a search results

    Hello,
    I can't go back after getting search results im my website. I always get this:

    Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.
    To resubmit your information and view this Web page, click the Refresh button.

    My programmer says he doesn't know the reason, but I think he does, but doesn't tell me. The search is is PHP, using MySQL. Any thoughts what is happening?

  2. #2
    Join Date
    Nov 2004
    Location
    India
    Posts
    1,100
    There may be two reasons, I can think.

    1. It's a known problem in IE(Internet Explorer). You have to disable the option "Tools >> Internet Options >> Advanced >> Security >> Do not save encrypted pages to disk" in your IE settings. Try the same page in Firefox, it may work for you.

    2. Your programmer might have used "cache-control" header in the program.
    AssistanZ - Beyond Boundaries...
    Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
    Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development

  3. #3
    Join Date
    Jul 2003
    Location
    Kuwait
    Posts
    5,099
    POSTed information is not resent when you hit the back button on your browser.

    You can try this very simply by creating two forms -- one using method GET, one using POST, then try and see which one gives you an error when you try to hit 'back'.

    By the way, as a curious side note, notice how major search engines list the query in the address bar (ie, use GET). This is so you can easily bookmark searches. You can't do that with posted information.

    For example with Google, you can type your search term after q= as in the following:

    www.google.com/search?q=search+help
    In order to understand recursion, one must first understand recursion.
    If you feel like it, you can read my blog
    Signal > Noise

  4. #4
    Join Date
    Feb 2005
    Location
    Lithuania
    Posts
    78
    Disabling in IE did't help.
    My search looks this: first step, where I write the query:
    http://www.......com/vynai.php?name=Vyno+paie%F0ka
    second step, there I get the results:
    http://www......com/iekom.php
    third step: I am in one of these results:
    http://www.....com/vynas.php?id=21

    So, I can't back from No. 3 to No.2.

  5. #5
    Join Date
    Oct 2005
    Posts
    890
    That always happens in phpBB for me. Thats what I always use vBulletin.

  6. #6
    Join Date
    Jul 2003
    Location
    Kuwait
    Posts
    5,099
    That's because what you see in number 3 is a result of a POST request.
    In order to understand recursion, one must first understand recursion.
    If you feel like it, you can read my blog
    Signal > Noise

  7. #7
    Join Date
    Feb 2005
    Location
    Lithuania
    Posts
    78
    Well, my programmer says it's IE fault. The problem is that I do not understant PHP, so if you think he made something wrong advice me what to say him.

  8. #8
    Join Date
    Sep 2005
    Location
    India
    Posts
    750
    Ask your programmer to use GET instead of POST in the "method" attribute of the <form> tag
    Darsh Web Solutions : Web Design, PHP Development, E-Commerce Solutions

    PHP Tutorials : Tutorials and scripts for beginners

  9. #9
    That's may be unsecure in some cases....!

  10. #10
    Join Date
    Feb 2005
    Location
    Lithuania
    Posts
    78
    Could you explain more how "get" affects security?

  11. #11
    the key values and GET access strings are stored in log files of the servers and also they can be saved in user machine in simple text format, that's why it's unsecure to use GET for sending any parameters, except "View-Control".

  12. #12
    Join Date
    Sep 2005
    Location
    India
    Posts
    750

    GET is harmless in this case

    lanas is simply using the form for searching. He is not sending any sensitive information (Credit Cards info, login, password) through the form.

    In this case using GET will be completely harmless. All search engines use GET instead of POST.
    Darsh Web Solutions : Web Design, PHP Development, E-Commerce Solutions

    PHP Tutorials : Tutorials and scripts for beginners

  13. #13
    Join Date
    Feb 2005
    Location
    Lithuania
    Posts
    78
    Yes, this is a simple search

  14. #14
    Join Date
    Jul 2003
    Location
    Kuwait
    Posts
    5,099
    Could you explain more how "get" affects security?
    In addition to what Zemnon posted, another way to look at this is that user agents (the term that is used for any client) will not allow re-fetching of a posted request -- as evident by this problem -- and usually will give a security warning.

    Such warnings are not displayed for get requests. A simple way to illustrate a problem. Suppose that you are coding a financial website to sell stocks. You got 128 bit SSL and all the other stuff, and your final step purchase script looks like:

    instant-buy.php?ticker=GOOG&price=400&quantity=5

    Using .php here as an example, this problem is not language specific.

    Someone could simply request:

    instant-buy.php?ticker=GOOG&price=40&quantity=20

    Your script would happily accept those values and confirm the purchase.

    Another example more towards what Zemnon was talking about, suppose you have a login script:

    login.php?id=user&password=secret

    Firstly, a user can bookmark that URL and be logged into your system. If that user is away from their station, anyone else can login by simply clicking on their bookmark. Or, a under-paid server monkey can scan the logs and pick up on your username and password! Worse still, some server setups have online access to view log files, and such information would be out there flapping in the wind.

    Hopefully, this helps clear up the issue
    In order to understand recursion, one must first understand recursion.
    If you feel like it, you can read my blog
    Signal > Noise

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •