WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Security Log Out ISSUE (16 posts)

  1. peopleinside
    Member
    Posted 10 months ago #

    Hi,
    i have some protected and private page on wordpress.

    There is an issue in Log Out of wordpress. If i log out and a user go back on the browser button they can see my private page.

    Cache must be cleared after log out.
    Can you think to fix this or help me to fix this in my wordpress?
    Thanks.

    It's a security problem!

  2. esmi
    Theme Diva & Forum Moderator
    Posted 10 months ago #

    It's not a WordPress security problem. It's a problem with your computer. If it's a public/multi-user machine, caching should be turned off.

  3. peopleinside
    Member
    Posted 10 months ago #

    If a CMS i secure when a user have the log out session must be expired like a bank website or joomla.

    With WordPress if i go back after log out i can see every page reserved.. i want to fix this, how can i do, please?

  4. peopleinside
    Member
    Posted 10 months ago #

    It's a problem becouse if i want use my website from another pc not mine is good if wordpress can be secured so if i logout from my account my session is expired. Like when i clouse the webbrowser, i can't see anymore any old page without log in again, i want make this when i do the log out.

  5. Again it's not a WordPress issue. Your browser is honoring the cache timeout. That's something you can try setting on your web server so that each time the page is requested the cache has already expired.

    Keep in mind that that's really contrary to good web server tuning since normally you do want the browser to cache things. That reduces the load on your web server.

    http://codex.wordpress.org/WordPress_Optimization/Caching#Browser_Caching

    Try researching mod_headers and mod_expires if you are using an Apache 2 web server. Those two web modules may let you selectively expire specific URLs.

  6. peopleinside
    Member
    Posted 10 months ago #

    It's not possibile to set all cache are been cleared if user do log out? For example adding something into log out page?

  7. I'm something like 99.999% sure that the expiry of a page cache is set when the page is loaded. When the logout action happens there's no way to retroactively reach into the browser's cache and delete things.

    There may be a way to set it for actual logged in users. But the password protected pages and posts don't have to be for logged in users only. Just anyone who has the password.

    Except for explicitly setting it per URL (see those links I posted above) or globally then I'm not sure how to accomplish what you're looking for.

    You could switch to SSL based pages as those are not supposed to be cached but then you'd be swimming in the deep part of the ocean...

  8. peopleinside
    Member
    Posted 10 months ago #

    thank you...

  9. peopleinside
    Member
    Posted 9 months ago #

    How is the standard WordPress cache time expire?

  10. peopleinside
    Member
    Posted 9 months ago #

    Is not possibile for WordPress to set a different cache expiration for all admin pages or if is set a low cache time expire there is some problem whe user edit a page? ..

  11. peopleinside
    Member
    Posted 6 months ago #

    I'm looking again for the log out issue in wordpress.

    I know an open ticket system CMS like this one:
    http://www.hesk.com

    If i log in in the demo as Admin http://www.hesk.com/demo/admin/
    and i navigate in the admin menu after if i press log out and i try to go back with browser a message appear: "Error: Your session has expired, please login using the form below." and i can't see the previous admin page.

    This not happen with WordPress, i fi go back with the browser button after log out i can see all.
    This is no good if i have a not published and private reserved page.

    All data are visible by other people who go back.. why wordpress can't have a check log out and log in system like on Hesk.com Ticket System?

  12. peopleinside
    Member
    Posted 6 months ago #

    I have asked to Hesk for how log in and log out works and i receved this response:

    The logout function simply destroys PHP session and cleans HESK cookies.

    Without an active session or login remembered in the cookie HESK requires the password to be entered to access admin pages.

    Why can't be somthing similar in WordPress?

  13. That actually is what WP does too. I'm 100% sure it deletes sessions (though it doesn't use PHP sessions because that effs up a lot of caching)

  14. peopleinside
    Member
    Posted 6 months ago #

    I don't know how wordpress close the session, i only know the mentioned sistem ticket close better becouse if i try to press back button i can't see admin page but i see a session expired message.

    This not happen with wordpress.
    After log out is possibile to go back and read reserved page. Yes it's true, you can't save or edit nothing but you can read reserved information in the admin panel.. if browser isn't closed.

    I relly hope in the future this is implemeted.
    There is a area where user can insert a featuire request: i want ask this one, session expired message when user go back after log out :)

  15. KProvance
    Member
    Posted 5 months ago #

    @peopleinside - I saw your post about that in the phpjunkyard forums. :)

    I had a successful hesk/wordpress integration for several months. But after I upgraded to WP 3.7, it broke the integration. Every time I attempted to login using a single session, I would get kicked back out to the login page with the session expired message. If I logged in using the the "remember my login' option, I could stay logged in, but then I couldn't use any of the admin functions without an 'invalid action' message. Why? The session token was broken. The active token and the $_SESSION['token'] were never the same. Something in WP 3.7 broke it. For a successful integration, the wp-load.php was required for each page that displayed content. Whatever they changed in the session handling for 3.7, HESK does not like. I'm going to post about it and see if I can make it work again, but I'm not hopeful, and I absolutely despise the iFrame hack to load the hesk page within a WP page. It's ugly.

    Cheers

  16. peopleinside
    Member
    Posted 5 months ago #

    @KProvance - Thanks for your post to my attention.
    From what i know, Hesk has not changed the log-in mode. My discussion was only because i use Hesk and i have also a WordPress blog but I prefer use this Help Solution separately.

    I'm sorry for the inconvenience that you are experiencing.
    I'm sure you will find a solution here or alone.

    :-)

Reply

You must log in to post.

About this Topic